oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation

From: Reid Sutherland <reid () thirddimension net>
Date: Fri, 01 May 2026 20:25:17 -0400


On Fri, 2026-05-01 at 18:52 +0200, Justin Swartz wrote:

On Fri, 2026-05-01 at 11:08 -0400, Reid Sutherland wrote:

Does anything load the vulnerable module by default or not?  If
not,
this should be low-rated IMO.


An unprivileged user requesting an AF_ALG socket will trigger the
kernel
module autoloader:

$ su -l
Password:

# cat > /root/modprobe << "EOF"
#!/bin/sh
echo "$(date -u) modprobe $@" >> /tmp/modprobe.log
exec /sbin/modprobe "$@"
EOF

# chmod 700 /root/modprobe

# cat /proc/sys/kernel/modprobe
/sbin/modprobe

# echo "/root/modprobe" > /proc/sys/kernel/modprobe
# cat /proc/sys/kernel/modprobe
/root/modprobe

# exit

$ lsmod | grep aead | wc -l
0

$ date -u && ./copy_fail_exp.py
Fri 01 May 2026 16:08:24 UTC

# cat /tmp/modprobe.log
Fri May  1 16:08:24 UTC 2026 modprobe -q -- net-pf-38
Fri May  1 16:08:24 UTC 2026 modprobe -q -- algif-aead

# lsmod | grep aead
algif_aead             16384  0
af_alg                 36864  1 algif_aead

# echo "/sbin/modprobe" > /proc/sys/kernel/modprobe
# cat /proc/sys/kernel/modprobe
/sbin/modprobe

# exit



Why is userspace allowed to load modules in any capacity?  Why do we
need kernel modules for math?

I'm assuming any thoroughly qualified platform engineer compiles the
host kernel without module support.  At least, that needs to make a
comeback, bring back applying grsec patches and make menuconfig..

I just finished defending the kernel on LinkedIn too, in that kernel
exploit attack surface is a non-issue if you trust how it's maintained.
Massive torpedo to my reputation two days later.
Previous By Date Next
Previous By Thread Next

Current thread: