In addition to Linux 7.0.6 stable, the Linux 6.18.29 LTS kernel was also released today with the sole change being this same patch from Hyunwoo Kim for resolving Dirty Frag.
Sadly not, as far as I have seen all the various pagefault vulnerabilities of this wave are in obscure modules.
Desktop kernels tend to have everything installed so even unusual software will run. Android has a lot fewer modules and builtins, and also regulates what interactions can be done, usually passing such things through system components first.
None of them so far were built into android kernels. Also most of them were not in my own custom kernel either.
This one is so generic it let’s you get around any of that very easily.
You don’t even need to interact with the filesystem, you can just change a cron script or system library and let some other process execute it. Or you can change /etc/passwd to give yourself access to a root user, which iirc is what this dirtyfrag vulnerability proof of concept did.
You can pretty much write to any file on the filesystem with one syscall (that is not a write syscall) and in a way that does not count as writing in any of the normal ways, so won’t even trigger file change events etc.
LTS is also patched.
@Redjard @cm0002 Can it be used to root android?
Sadly not, as far as I have seen all the various pagefault vulnerabilities of this wave are in obscure modules.
Desktop kernels tend to have everything installed so even unusual software will run. Android has a lot fewer modules and builtins, and also regulates what interactions can be done, usually passing such things through system components first.
None of them so far were built into android kernels. Also most of them were not in my own custom kernel either.
Even if it was built in it probably wouldn’t get full root, SELinux borks a lot of root exploits even if they privesc correctly.
This one is so generic it let’s you get around any of that very easily.
You don’t even need to interact with the filesystem, you can just change a cron script or system library and let some other process execute it. Or you can change /etc/passwd to give yourself access to a root user, which iirc is what this dirtyfrag vulnerability proof of concept did.
You can pretty much write to any file on the filesystem with one syscall (that is not a write syscall) and in a way that does not count as writing in any of the normal ways, so won’t even trigger file change events etc.