7 comments

[ 3.4 ms ] story [ 26.1 ms ] thread
I love how this forum talks about "hack/ing" but when privesc bugs come around, nothing.
A follow-up comment describes how it works: http://seclists.org/oss-sec/2014/q2/469
Nice. I didn't quite understand though:

> Specifically, the futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered.

Is the bug that the waiter is left on the stack, or that other syscalls can alter the stack?

Allowing syscalls to alter the stack seems like a vulnerability regardless of what happens to be on the stack when it's altered.

See, this is what happens when (presumably white, male) programmers don't check their privilege.
That made my day brighter. Sorry you're getting so many downvotes for that. :(
Isn't BPF a virtual machine inside the kernel? Does this have any impact on the likelihood of exploits?
Is there any proper information on this issue? The patches do not apply cleanly against the latest stable kernel (3.14.5) and there's no indication I can find as to what version they're intended to be applied to.