Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:rseq: Fix segfault on registration when rseq_cs is non-zeroThe rseq_cs field is documented as being set to 0 by user-space prior toregistration, however this is not currently enforced by the kernel. Thiscan result in a segfault on return to user-space if the value stored inthe rseq_cs field doesn't point to a valid struct rseq_cs.The correct solution to this would be to fail the rseq registration whenthe rseq_cs field is non-zero. However, some older versions of glibcwill reuse the rseq area of previous threads without clearing therseq_cs field and will also terminate the process if the rseqregistration fails in a secondary thread. This wasn't caught in testingbecause in this case the leftover rseq_cs does point to a valid structrseq_cs.What we can do is clear the rseq_cs field on registration when it'snon-zero which will prevent segfaults on registration and won't breakthe glibc versions that reuse rseq areas on thread creation.
No PoCs from references.
- https://github.com/w4zu/Debian_security