diff options
| author | Christian Breunig <christian@breunig.cc> | 2026-05-14 13:34:49 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2026-05-14 13:39:02 +0200 |
| commit | d2d23bb8cafb209fc4459adaf43748e304b84392 (patch) | |
| tree | 75b66a3c57c295d81b00c9fc6a8be8b5d38c64ae /scripts/package-build/linux-kernel/config | |
| parent | f67f546520b4514b3bd9485ae48a70f88cb413f1 (diff) | |
| download | vyos-build-d2d23bb8cafb209fc4459adaf43748e304b84392.tar.gz vyos-build-d2d23bb8cafb209fc4459adaf43748e304b84392.zip | |
Kernel: T8864: add patch for "fragnesia" local privilege escalation
Fragnesia is a universal Linux local privilege escalation exploit, discovered
with V12 by William Bowling with the V12 team. Fragnesia is a member of the
Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from
dirtyfrag which has received its own patch. However, it is in the same surface
and the mitigation is the same as for dirtyfrag.
It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve
arbitrary byte writes into the kernel page cache of read-only files, without
requiring any race condition.
The technique extends the page-cache write bug class that includes Dirty Pipe:
when a TCP socket transitions to espintcp ULP mode after data has already been
spliced from a file into the receive queue, the kernel processes the queued
file pages as ESP ciphertext. The AES-GCM keystream byte at counter block
position 2, byte 0 is XORed directly into the cached file page. By selecting
the IV nonce to produce a desired keystream byte, any target byte in the file
can be set to any value — one byte per trigger invocation.
From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
Diffstat (limited to 'scripts/package-build/linux-kernel/config')
0 files changed, 0 insertions, 0 deletions
