Perception Point discloses
a use-after-free vulnerability in the kernel's keyring subsystem; it is
exploitable for local privilege escalation. "If a process causes the
kernel to leak 0x100000000 references to the same object, it can later
cause the kernel to think the object is no longer referenced and
consequently free the object. If the same process holds another legitimate
reference and uses it after the kernel freed the object, it will cause the
kernel to reference deallocated, or a reallocated memory. This way, we can
achieve a use-after-free, by using the exact same bug from before. A lot
has been written on use-after-free vulnerability exploitation in the
kernel, so the following steps wouldn’t surprise an experienced
vulnerability researcher." This bug, introduced in 3.8, looks like
a good one to patch
quickly; of course, for vast numbers of users of mobile and embedded
systems, that may not be an option.
↧