summaryrefslogtreecommitdiff
path: root/scripts/package-build/linux-kernel/config
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2026-05-14 13:34:49 +0200
committerChristian Breunig <christian@breunig.cc>2026-05-14 13:39:02 +0200
commitd2d23bb8cafb209fc4459adaf43748e304b84392 (patch)
tree75b66a3c57c295d81b00c9fc6a8be8b5d38c64ae /scripts/package-build/linux-kernel/config
parentf67f546520b4514b3bd9485ae48a70f88cb413f1 (diff)
downloadvyos-build-d2d23bb8cafb209fc4459adaf43748e304b84392.tar.gz
vyos-build-d2d23bb8cafb209fc4459adaf43748e304b84392.zip
Kernel: T8864: add patch for "fragnesia" local privilege escalation
Fragnesia is a universal Linux local privilege escalation exploit, discovered with V12 by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation. From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
Diffstat (limited to 'scripts/package-build/linux-kernel/config')
0 files changed, 0 insertions, 0 deletions