this post was submitted on 09 May 2026
281 points (97.0% liked)

Linux Gaming

25746 readers
286 users here now

Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.

This page can be subscribed to via RSS.

Original /r/linux_gaming pengwing by uoou.

No memes/shitposts/low-effort posts, please.

Resources

Help:

Launchers/Game Library Managers:

General:

Discord:

IRC:

Matrix:

Telegram:

founded 2 years ago
MODERATORS
monolalia@lemmy.world
281
Copy Fail 2: Electric Boogaloo (lemmy.world)
submitted 2 days ago by ekZepp@lemmy.world to c/linux_gaming@lemmy.world
9 comments fedilink hide all child comments
 

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

https://afflicted.sh/blog/posts/copy-fail-2.html

the bug

MSG_SPLICE_PAGES attaches pages from a pipe directly to an skb — no copy, the skb's frags reference the pipe buffer's pages. for TCP the path sets SKBFL_SHARED_FRAG on those skbs, which downstream consumers check before mutating frag bytes. for the IPv4/IPv6 datagram append paths, the flag was never set. so a UDP skb built with MSG_SPLICE_PAGES looked, to a downstream consumer, like an ordinary uncloned nonlinear skb whose frags it could mutate freely.

the consumer in question is esp_input():

// net/ipv4/esp4.c (pre-fix) } else if (!skb_has_frag_list(skb)) { nfrags = skb_shinfo(skb)->nr_frags; nfrags++;

goto skip_cow;

}

skip_cow jumps past the skb_cow_data() call. the remaining code path runs the AEAD decrypt in place over the existing scatterlist — which, since the frags are pipe pages we still hold open in userspace, are page-cache pages of whatever file we spliced from.

the kernel writes the decrypt output into those pages. they are still mapped into our pipe. they are also still the page cache for the file. so the kernel just wrote attacker-influenced bytes into the page cache of any readable file we can splice().

the Fixes: chain spans 2017 (esp no-COW fast path for both v4 and v6) and 2023 (UDP/UDP6 MSG_SPLICE_PAGES support). every mainline kernel that has all four sits in scope

you are viewing a single comment's thread
view the rest of the comments
[–] idiomaddict@lemmy.world 4 points 2 days ago (1 children)

Is it traceable to the account? I foresee a lot of corporate sabotage otherwise.

[–] barkingspiders@infosec.pub 4 points 1 day ago

A naive attacker will leave log entries and other traceable things behind but an experienced attacker who has gained root permissions can clean up behind themselves very quickly. So yes it's traceable but in practice it can be hard to find evidence.

There is a lot of concern for situations like you describe but in practice generic users have many paths to privilege escalation if they choose to try. You should either never let untrusted users have access to your systems or take special precautions anyway.

This exploit was notable for it's ease of use and that it was announced before a patch was released leaving a window of vulnerability. But OS maintainers are on top of things, my debian servers have already rebooted this morning with the mitigation. So overall not too bad as these things go.