From: John Haxby <john.haxby@oracle.com>
To: oss-security@lists.openwall.com, "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-security-module@vger.kernel.org,
linux-acpi@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>,
kernel-hardening@lists.openwall.com,
Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Subject: Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules
Date: Mon, 15 Jun 2020 17:22:27 +0100 [thread overview]
Message-ID: <206DB19C-0117-4F4B-AFF7-212E40CB8C75@oracle.com> (raw)
In-Reply-To: <CAHmME9rmAznrAmEQTOaLeMM82iMFTfCNfpxDGXw4CJjuVEF_gQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
Hi Jason,
> On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi everyone,
>
> Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using
> ACPI table tricks via the efi ssdt variable [1]. Today I found another
> one that's a bit easier to exploit and appears to be unpatched on
> mainline, using acpi_configfs to inject an ACPI table. The tricks are
> basically the same as the first one, but this one appears to be
> unpatched, at least on my test machine. Explanation is in the header
> of the PoC:
>
> https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
>
> I need to get some sleep, but if nobody posts a patch in the
> meanwhile, I'll try to post a fix tomorrow.
>
> Jason
>
> [1] https://www.openwall.com/lists/oss-security/2020/06/14/1
This looks CVE-worthy. Are you going to ask for a CVE for it?
jch
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 268 bytes --]
next prev parent reply other threads:[~2020-06-15 16:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-15 10:26 lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld
2020-06-15 16:22 ` John Haxby [this message]
2020-06-15 17:02 ` [oss-security] " Jann Horn
2020-06-15 17:28 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=206DB19C-0117-4F4B-AFF7-212E40CB8C75@oracle.com \
--to=john.haxby@oracle.com \
--cc=Jason@zx2c4.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=oss-security@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).