Sequoia: Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
> We discovered a size_t-to-int conversion vulnerability in the Linux
kernel’s filesystem layer: by creating, mounting, and deleting a deep
directory structure whose total path length exceeds 1GB, an unprivileged
local attacker can write the 10-byte string “//deleted” to an offset of
exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
> We successfully exploited this uncontrolled out-of-bounds write, and
obtained full root privileges on default installations of Ubuntu 20.04,
Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other
Linux distributions are certainly vulnerable, and probably exploitable.
Our exploit requires approximately 5GB of memory and 1M inodes; we will
publish it in the near future. A basic proof of concept (a crasher) is
attached to this advisory.
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Username or Email Address