Skip to content
Permalink
Browse files

Update README.md

  • Loading branch information...
chenyueqi committed May 24, 2018
1 parent d9564d1 commit 90f805f7ea8355a20a562b13b23b3408e8ff8927
Showing with 36 additions and 3 deletions.
  1. +36 −3 CVE-2016-0728/README.md
@@ -57,7 +57,7 @@ make install
Download Linux kernel:
``` bash
git clone https://github.com/torvalds/linux.git
git checkout v4.10
git checkout v4.4
```
Generate default configs:
@@ -71,6 +71,8 @@ Enable some options:
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
```
Note that above two options only work for kernel after v4.10. To enable these options, I suggest to insert vulnerabilities back into kernel after v4.10.
Compile Linux kernel:
``` bash
make CC="$GCC/install/bin/gcc" -j64
@@ -193,17 +195,48 @@ Trigger Vulnerability:
## PoCs
[syzkaller](https://groups.google.com/forum/#!topic/syzkaller/3twDUI4Cpm8)
[POC](https://www.exploit-db.com/exploits/39277/)
## Vulnerability Details & Patch
[linux patch](https://github.com/torvalds/linux/commit/7d267278a9ece963d77eefec61630223fce08c6c)
### Root Cause
/iclude/linux/types.h
``` c
typedef struct {
int counter;
} atomic_t;
```
/include/linux/key.h
``` c
struct key {
atomic_t usage
...
};
```
/security/keys/process_keys.c
``` c
long join_session_keyring(const char* name) {
...
keyring = find_keyring_by_name (name, false); // keyring->usage.counter++
...
else if (keyring == new->session_keyring) {
ret = 0;
goto error2; // forger to keyring->usage.counter--
}
...
error2:
abort_creds(new);
return ret;
}
```
When keyring->usage.counter is overflowed from MAX_INT to 0, keyring is used.
### Stack Trace
## References
[POC](https://www.exploit-db.com/exploits/39277/)

0 comments on commit 90f805f

Please sign in to comment.
You can’t perform that action at this time.