Conversation

Andrey Konovalov

@andreyknvl

·

Feb 26, 2017

Proof-of-Concept local root exploit for the double-free in Linux kernel DCCP implementation (CVE-2017-6074): https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074…

3

251

255

Vitaly Nikolenko

@vnik5287

·

Feb 26, 2017

Replying to

@andreyknvl

why do you need to run inside a namespace? haven't tried it yet but can't you create dccp sockets as a non-privileged user?

@andreyknvl

1

Andrey Konovalov

@andreyknvl

·

Feb 26, 2017

Replying to

@vnik5287

You can, so namespace support is not technically required to exploit the bug, but it made things easier for two reasons:

@vnik5287

1

1

3

Andrey Konovalov

@andreyknvl

·

Feb 26, 2017

Replying to

@andreyknvl

1: need CAP_SYS_NICE to sched_setaffinity (percpu freelists) and 2: need CAT_NET_RAW to create AF_PACKET sockets (SM*P bypass)

@vnik5287

1

2

3

Andrey Konovalov

@andreyknvl

Replying to

@andreyknvl

Though looking at the code now it seems you only need CAP_SYS_NICE to set affinity of another process

@vnik5287

http://lxr.free-electrons.com/source/kernel/sched/core.c#L4686…

11:07 AM · Feb 26, 2017·Twitter Web Client

Vitaly Nikolenko

@vnik5287

·

Feb 26, 2017

Replying to

@andreyknvl

yeah, you don't need it for setting affinity on the "current" process. But still need it for the second case