[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid



Hi,

On Sat, Nov 02, 2019 at 10:27:27PM +0300, Alexander Popov wrote:
> Hello!
> 
> I used the syzkaller fuzzer with custom modifications and found a bunch of
> 5-year old bugs in the Linux kernel. I managed to exploit one of them for a
> local privilege escalation.
> 
> These vulnerabilities are caused by wrong mutex locking in the vivid driver of
> the V4L2 subsystem. Please see the fixing patch that I've just sent to LKML:
> https://lore.kernel.org/lkml/20191102190327.24903-1-alex.popov AT linux.com/
> 
> The vivid driver doesn't require any special hardware. It is shipped in Ubuntu,
> Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.
> 
> On Ubuntu the devices created by this driver are available to the normal user,
> since Ubuntu applies RW ACL when the user is logged in:
>   a13x@ubuntu_server_1804:~$ getfacl /dev/video0
>   getfacl: Removing leading '/' from absolute path names
>   # file: dev/video0
>   # owner: root
>   # group: video
>   user::rw-
>   user:a13x:rw-
>   group::rw-
>   mask::rw-
>   other::---
> 
> (Un)fortunately, I don't know how to autoload the vulnerable driver, which
> limits the severity of these vulnerabilities. That's why the Linux kernel
> security team allows me to do the full disclosure.
> 
> But there is an interesting aspect -- my PoC exploit bypasses SMEP and SMAP on
> the fresh Ubuntu Server 18.04. Moreover, it gains the local privilege escalation
> from the kthread context (where the userspace is not mapped). I'm going to share
> the details about the exploit techniques later.
> 
> For now I would recommend to blacklist the vivid kernel module on your machines.

CVE-2019-18683 was assigned for this issue.

Regards,
Salvatore