Copy Fail 2: Electric Boogaloo

alecco 3 hours ago | parent | next [-]

People are blaming the wrong guy for breaking the embargo but via this blog post [1]:

> on 2026-05-05 Steffen Klassert pushed f4c50a4034 to netdev/net.git with Cc: stable@vger.kernel.org.

Once the fix is out it's usual for researchers to race to make the first exploit out of it.

[1] https://afflicted.sh/blog/posts/copy-fail-2.html

▲

cassianoleal 5 hours ago | parent | prev | next [-]

How is this different from Dirty Frag [0]?

It seems to use the same vector.

[0] https://github.com/V4bel/dirtyfrag

	▲	auscompgeek 29 minutes ago \| parent [-]
		From what I can gather it is the exact same vulnerability.

▲

cpach 4 hours ago | parent | prev | next [-]

Does anyone know how to mitigate this one? Is it sufficient to disable the esp4/esp6/rxrpc modules?

▲

Mindless2112 9 hours ago | parent | prev | next [-]

How much pain must there be until people realize we actually do need memory safety?

▲

delamon 8 hours ago | parent [-]

How would've memory safety helped here?

▲

Mindless2112 8 hours ago | parent [-]

In CHERI, for example, pointers have permissions. The pointer to the COW memory would not have the "write" permission.

I could be misunderstanding the bug, of course.

▲

delamon 8 hours ago | parent [-]

If you "forget" to mark COW memory pointer as no-write, the net effect would be same, would it not? If I'm reading the diff correctly, the problem was that code missed to mark some pages as shared (aka no-write).

▲

Mindless2112 7 hours ago | parent [-]

A fair point...

I thought the bug was a missing check for the COW flag, but looking at it again it seems it was missing both setting and checking the flag.

	▲	delamon 7 hours ago \| parent [-]
		Apparently it is both...

▲

nonamesleft 8 hours ago | parent | prev [-]

sysctl kernel.unprivileged_userns_clone=1 keeps on giving.

	▲	sickthecat 7 hours ago \| parent [-]
		Yes. Giving me a massive... Well.. Dopamine rush.