7
Copy Fail 2: Electric Boogaloo (lemmy.world)
submitted 2 weeks ago by ekZepp@lemmy.world to c/linux_gaming@lemmy.world
5 comments fedilink hide all child comments

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

https://afflicted.sh/blog/posts/copy-fail-2.html

the bug

MSG_SPLICE_PAGES attaches pages from a pipe directly to an skb — no copy, the skb's frags reference the pipe buffer's pages. for TCP the path sets SKBFL_SHARED_FRAG on those skbs, which downstream consumers check before mutating frag bytes. for the IPv4/IPv6 datagram append paths, the flag was never set. so a UDP skb built with MSG_SPLICE_PAGES looked, to a downstream consumer, like an ordinary uncloned nonlinear skb whose frags it could mutate freely.

the consumer in question is esp_input():

// net/ipv4/esp4.c (pre-fix) } else if (!skb_has_frag_list(skb)) { nfrags = skb_shinfo(skb)->nr_frags; nfrags++;

goto skip_cow;

}

skip_cow jumps past the skb_cow_data() call. the remaining code path runs the AEAD decrypt in place over the existing scatterlist — which, since the frags are pipe pages we still hold open in userspace, are page-cache pages of whatever file we spliced from.

the kernel writes the decrypt output into those pages. they are still mapped into our pipe. they are also still the page cache for the file. so the kernel just wrote attacker-influenced bytes into the page cache of any readable file we can splice().

the Fixes: chain spans 2017 (esp no-COW fast path for both v4 and v6) and 2023 (UDP/UDP6 MSG_SPLICE_PAGES support). every mainline kernel that has all four sits in scope

top 5 comments
sorted by: hot top controversial new old
[-] _hovi_@lemmy.world 1 points 2 weeks ago

See also https://github.com/V4bel/dirtyfrag

[-] A_Random_Idiot@lemmy.world 1 points 1 week ago* (last edited 1 week ago)

you can tell linux is getting popular, with so many exploits being announced recently lol

edit This was marginally tongue in cheek, since I know linux is the most popular OS in the world accounting for servers, which is where most exploiters would want to exploit.

[-] errer@lemmy.world 0 points 1 week ago

Is this one remotely exploitable? My understanding is the first one still required access to a non-privileged account

[-] barkingspiders@infosec.pub 2 points 1 week ago

I work in this space and have not seen any claims of remote exploitation. The attacker needs access to a generic user account on the system in order to use the exploit.

[-] idiomaddict@lemmy.world 1 points 1 week ago

Is it traceable to the account? I foresee a lot of corporate sabotage otherwise.

this post was submitted on 09 May 2026
7 points (100.0% liked)

Linux Gaming

25927 readers
93 users here now

Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.

This page can be subscribed to via RSS.

Original /r/linux_gaming pengwing by uoou.

No memes/shitposts/low-effort posts, please.

Resources

Help:

Launchers/Game Library Managers:

General:

Discord:

IRC:

Matrix:

Telegram:

founded 2 years ago
MODERATORS
monolalia@lemmy.world