Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767892 (CVE-2021-3347) - kernel: local privilege escalation via futexes (CVE-2021-3347)
Summary: kernel: local privilege escalation via futexes (CVE-2021-3347)
Status: RESOLVED FIXED
Alias: CVE-2021-3347
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A3 [stable blocked]
Keywords:
: 768045 (view as bug list)
Depends on: CVE-2021-26708
Blocks:
  Show dependency tree
 
Reported: 2021-01-29 22:05 UTC by Piotr Karbowski
Modified: 2022-03-26 01:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Karbowski archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 22:05:49 UTC
See https://www.openwall.com/lists/oss-security/2021/01/29/1
Comment 1 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2021-01-30 12:16:46 UTC
This is affecting 5.10.11 as far as I can see
Comment 2 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2021-01-30 12:17:23 UTC
from:
https://nvd.nist.gov/vuln/detail/CVE-2021-3347

"An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458."
Comment 3 Thomas Deutschmann gentoo-dev 2021-02-06 14:18:43 UTC
Based on current knowledge, the complexity to exploit this is *very* high so thatt he highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Comment 4 Thomas Deutschmann gentoo-dev 2021-02-10 13:38:02 UTC
*** Bug 768045 has been marked as a duplicate of this bug. ***
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:24:19 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:32:47 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:40:40 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:48:50 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:04:46 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:13:03 UTC
Package list is empty or all packages have requested keywords.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 01:28:14 UTC
(In reply to Thomas Deutschmann from comment #3)
> Based on current knowledge, the complexity to exploit this is *very* high so
> thatt he highest threat from this vulnerability is to data confidentiality
> and integrity as well as system availability.

Isn't that all three ways a vulnerability can affect something?

Anyway, fixed kernels appear to be 4.9.257, 4.14.218, 4.19.172, 5.4.94, 5.10.12, and we've been fixed for a while