Pasting from oss-security, where Andy Lutomirski said that a CVE has been requested. Fixed in 5.8.7 (presumably also fixed in latest 5.7, but why would you be running that ?)
| Linux 5.7 and 5.8 have a bug in the reference counting of the struct | page that backs the vsyscall page. The result is a refcount | underflow. This can be triggered by any 64-bit process that is | permitted to use ptrace() or process_vm_readv(). A creative attacker | can probably achieve kernel code escalation by using this bug. | | You can prevent the issue from triggering by booting with | vsyscall=xonly or vsyscall=none. You can also effectively hotpatch a | kernel with suitable hardening options by running the updated test | case noted below -- the test case will underflow the refcount past | zero, preventing further use of the page. (A real attacker would | carefully underflow it exactly to zero but not past.) Or you can fix | your kernel. | | (No one should be using vsyscall=emulate any more unless they have a | very specific use case that requires it. vsyscall=xonly is better in | almost all cases. For some reason, Fedora still seems to be using | emulate mode, though.) | | Fixed by: | | commit 9fa2dd946743ae6f30dc4830da19147bf100a7f2 | Author: Dave Hansen <dave.han...@linux.intel.com> | Date: Thu Sep 3 13:40:28 2020 -0700 | | mm: fix pin vs. gup mismatch with gate pages ĸen -- I could not live without Champagne. In victory I deserve it, in defeat I need it. -- Churchill -- http://lists.linuxfromscratch.org/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
