Conversation

this is a neat kernel bug I found in io_uring that is exploitable for LPE. was fun learning about and breaking another Linux kernel meme

Quote Tweet

CVE

@CVEnew

Sep 19, 2021

CVE-2021-41073 loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation. cve.mitre.org/cgi-bin/cvenam

163

877

Daniel Micay

@DanielMicay

Replying to

@chompie1337

I think the scariest feature exposed to unprivileged users on most distributions is being able to use iptables, nftables and tons of other network administration functionality via user namespace + network namespace. Bet you could find a lot of scary bugs in the netfilter code...

10:14 AM · Sep 21, 2021Twitter Web App

Replying to

and

Decent chance of bugs there being RCE vulnerabilities even if they're rarely ever exposed that way in practice. Especially some of the conntrack connection helpers... github.com/torvalds/linux I'm pretty sure that hand-rolled ASN1 parser is exposed remotely. Just saying...

github.com

linux/nf_conntrack_h323_asn1.c at master · torvalds/linux

Linux kernel source tree. Contribute to torvalds/linux development by creating an account on GitHub.