[oss-security] lockdown bypass on mainline kernel for loading unsigned modules
John Haxby
john.haxby at oracle.com
Mon Jun 15 16:22:27 UTC 2020
Hi Jason,
> On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Hi everyone,
>
> Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using
> ACPI table tricks via the efi ssdt variable [1]. Today I found another
> one that's a bit easier to exploit and appears to be unpatched on
> mainline, using acpi_configfs to inject an ACPI table. The tricks are
> basically the same as the first one, but this one appears to be
> unpatched, at least on my test machine. Explanation is in the header
> of the PoC:
>
> https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh
>
> I need to get some sleep, but if nobody posts a patch in the
> meanwhile, I'll try to post a fix tomorrow.
>
> Jason
>
> [1] https://www.openwall.com/lists/oss-security/2020/06/14/1
This looks CVE-worthy. Are you going to ask for a CVE for it?
jch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200615/0db2e062/attachment.sig>
More information about the kernel-team
mailing list