Bug#1068770: linux-image-6.1.0-18-amd64: Local privilege escalation vulnerability in kernel n_gsm driver

2024-04-10 Thread LW 
Package: src:linux
Version: 6.1.76-1
Severity: critical
Tags: upstream security
Justification: root security hole
X-Debbugs-Cc: lw-deb-...@greyskydesigns.com, Debian Security Team 


Dear Maintainer,

A Reddit thread[1] linked to a Github page[2] with a local root escalation 
exploit.  This exploit works on the current "bookworm" stable kernel, 
6.1.0-18-amd64.

It can be worked around by blocking the n_gsm driver:

echo 'blacklist n_gsm' | sudo tee -a /etc/modprobe.d/blacklist-gsm.conf
sudo rmmod n_gsm


[1] https://old.reddit.com/r/linux/comments/1c0i7tx/someone_found_a_kernel_0day/
[2] https://github.com/YuriiCrimson/ExploitGSM/


-- Package-specific info:
** Version:
Linux version 6.1.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 
12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)

** Command line:
BOOT_IMAGE=/@rootfs/boot/vmlinuz-6.1.0-18-amd64 root=UUID=403bad0f-[snip] ro 
rootflags=subvol=@rootfs panic=5

** Not tainted

** Kernel log:
[2.783100] at24 0-0051: supply vcc not found, using dummy regulator
[2.784137] at24 0-0051: 256 byte spd EEPROM, read-only
[2.789726] usb 2-1.3: FTDI USB Serial Device converter now attached to 
ttyUSB1
[2.806774] ipmi_si: IPMI System Interface driver
[2.810971] usbcore: registered new interface driver usbhid
[2.811095] usbhid: USB HID core driver
[2.811363] ipmi_si dmi-ipmi-si.0: ipmi_platform: probing via SMBIOS
[2.811489] ipmi_platform: ipmi_si: SMBIOS: io 0xca8 regsize 1 spacing 1 irq 0
[2.811630] ipmi_si: Adding SMBIOS-specified kcs state machine
[2.811813] ipmi_si IPI0001:00: ipmi_platform: probing via ACPI
[2.812069] ipmi_si IPI0001:00: ipmi_platform: [io  0x0ca8] regsize 1 
spacing 4 irq 0
[2.818248] ipmi_si dmi-ipmi-si.0: Removing SMBIOS-specified kcs state 
machine in favor of ACPI
[2.818400] ipmi_si: Adding ACPI-specified kcs state machine
[2.818581] ipmi_si: Trying ACPI-specified kcs state machine at i/o address 
0xca8, slave address 0x20, irq 0
[2.825415] input: American Megatrends Inc. Virtual Keyboard and Mouse as 
/devices/pci:00/:00:1a.0/usb1/1-1/1-1.5/1-1.5.1/1-1.5.1:1.0/0003:046B:FF10.0001/input/input3
[2.832623] hid-generic 0003:046B:FF10.0001: input,hidraw0: USB HID v1.10 
Keyboard [American Megatrends Inc. Virtual Keyboard and Mouse] on 
usb-:00:1a.0-1.5.1/input0
[2.832950] input: American Megatrends Inc. Virtual Keyboard and Mouse as 
/devices/pci:00/:00:1a.0/usb1/1-1/1-1.5/1-1.5.1/1-1.5.1:1.1/0003:046B:FF10.0002/input/input4
[2.834908] hid-generic 0003:046B:FF10.0002: input,hidraw1: USB HID v1.10 
Mouse [American Megatrends Inc. Virtual Keyboard and Mouse] on 
usb-:00:1a.0-1.5.1/input1
[2.842988] ast :0a:00.0: vgaarb: deactivate vga console
[2.844608] Console: switching to colour dummy device 80x25
[2.846274] ast :0a:00.0: [drm] Using P2A bridge for configuration
[2.846281] ast :0a:00.0: [drm] AST 1100 detected
[2.846293] ast :0a:00.0: [drm] Using analog VGA
[2.846303] ast :0a:00.0: [drm] dram MCLK=204 Mhz type=0 bus_width=16
[2.850155] [drm] Initialized ast 0.1.0 20120228 for :0a:00.0 on minor 0
[2.855445] fbcon: astdrmfb (fb0) is primary device
[2.896398] ipmi_si IPI0001:00: IPMI message handler: Found new BMC (man_id: 
0x0019fd, prod_id: 0x1588, dev_id: 0x20)
[2.956975] RAPL PMU: API unit is 2^-32 Joules, 2 fixed counters, 163840 ms 
ovfl timer
[2.956979] RAPL PMU: hw unit of domain pp0-core 2^-16 Joules
[2.956980] RAPL PMU: hw unit of domain package 2^-16 Joules
[2.962273] cfg80211: Loading compiled-in X.509 certificates for regulatory 
database
[2.962515] cfg80211: Loaded X.509 cert 'b...@debian.org: 
577e021cb980e0e820821ba7b54b4961b8b4fadf'
[2.962782] cfg80211: Loaded X.509 cert 'romain.per...@gmail.com: 
3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[2.963083] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[2.963382] cfg80211: Loaded X.509 cert 'wens: 
61c038651aabdcf94bd0ac7ff06c7248db18c600'
[2.964803] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db
[2.964836] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db.p7s
[2.965857] cryptd: max_cpu_qlen set to 1000
[2.968485] Console: switching to colour frame buffer device 128x48
[2.970095] ast :0a:00.0: [drm] fb0: astdrmfb frame buffer device
[2.985684] AVX version of gcm_enc/dec engaged.
[2.985759] AES CTR mode by8 optimization enabled
[3.09] ipmi_si IPI0001:00: IPMI kcs interface initialized
[3.015582] ipmi_ssif: IPMI SSIF Interface driver
[3.171484] bond1: (slave enp6s0): Enslaving as a backup interface with a 
down link
[3.190106] random: crng init done
[3.315374] bond1: (slave enp5s0): Enslaving as a backup interface with a 
down link
[3.377310] intel_rapl_common: Found RAPL domain package
[3.377890] intel_rapl_co

Bug#1068770: linux-image-6.1.0-18-amd64: Local privilege escalation vulnerability in kernel n_gsm driver

2024-04-10 Thread Salvatore Bonaccorso 
Control: tags -1 + confirmed pending
Control: found -1 6.1.82-1

Hi,

On Wed, Apr 10, 2024 at 12:16:21PM -0700, LW wrote:
> Package: src:linux
> Version: 6.1.76-1
> Severity: critical
> Tags: upstream security
> Justification: root security hole
> X-Debbugs-Cc: lw-deb-...@greyskydesigns.com, Debian Security Team 
> 
> 
> Dear Maintainer,
> 
> A Reddit thread[1] linked to a Github page[2] with a local root
> escalation exploit.  This exploit works on the current "bookworm"
> stable kernel, 6.1.0-18-amd64.
> 
> It can be worked around by blocking the n_gsm driver:
> 
> echo 'blacklist n_gsm' | sudo tee -a /etc/modprobe.d/blacklist-gsm.conf
> sudo rmmod n_gsm
> 
> 
> [1] 
> https://old.reddit.com/r/linux/comments/1c0i7tx/someone_found_a_kernel_0day/
> [2] https://github.com/YuriiCrimson/ExploitGSM/

Thanks we are already aware of the issue.

Upstream is going to apply a mitigation for the issue:
https://lore.kernel.org/stable/2024041054-asleep-replace-96e8@gregkh/T/#m3a8ce43359ad57e447faa4db6ecf4f4c1b60c498

Regards,
Salvatore

Processed: Re: Bug#1068770: linux-image-6.1.0-18-amd64: Local privilege escalation vulnerability in kernel n_gsm driver

2024-04-10 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed pending
Bug #1068770 [src:linux] linux-image-6.1.0-18-amd64: Local privilege escalation 
vulnerability in kernel n_gsm driver
Added tag(s) pending and confirmed.
> found -1 6.1.82-1
Bug #1068770 [src:linux] linux-image-6.1.0-18-amd64: Local privilege escalation 
vulnerability in kernel n_gsm driver
Marked as found in versions linux/6.1.82-1.

-- 
1068770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068770
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems