Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 767892 (CVE-2021-3347)

Summary: kernel: local privilege escalation via futexes (CVE-2021-3347)
Product: Gentoo Security Reporter: Piotr Karbowski (RETIRED) <slashbeast>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: alicef, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2021/01/29/1
Whiteboard: A3 [stable blocked]
Package list:
Runtime testing required: ---
Bug Depends on: 768894    
Bug Blocks:    

Description Piotr Karbowski (RETIRED) gentoo-dev 2021-01-29 22:05:49 UTC
See https://www.openwall.com/lists/oss-security/2021/01/29/1
Comment 1 Arisu Tachibana Gentoo Infrastructure gentoo-dev 2021-01-30 12:16:46 UTC
This is affecting 5.10.11 as far as I can see
Comment 2 Arisu Tachibana Gentoo Infrastructure gentoo-dev 2021-01-30 12:17:23 UTC
from:
https://nvd.nist.gov/vuln/detail/CVE-2021-3347

"An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458."
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-06 14:18:43 UTC
Based on current knowledge, the complexity to exploit this is *very* high so thatt he highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-10 13:38:02 UTC
*** Bug 768045 has been marked as a duplicate of this bug. ***
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:24:19 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:32:47 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:40:40 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:48:50 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:04:46 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:13:03 UTC
Package list is empty or all packages have requested keywords.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 01:28:14 UTC
(In reply to Thomas Deutschmann from comment #3)
> Based on current knowledge, the complexity to exploit this is *very* high so
> thatt he highest threat from this vulnerability is to data confidentiality
> and integrity as well as system availability.

Isn't that all three ways a vulnerability can affect something?

Anyway, fixed kernels appear to be 4.9.257, 4.14.218, 4.19.172, 5.4.94, 5.10.12, and we've been fixed for a while