Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel’s filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string “//deleted” to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.

You May Also Like

China-linked APT groups targets orgs via Pulse Secure VPN devices

Researchers from FireEye warn that China-linked APT groups continue to target Pulse…

DarkSide Getting Taken to ‘Hackers’ Court’ For Not Paying Affiliates

A shadow court system for hackers shows how professional ransomware gangs have…