tag: #privilege-escalation

A race in mm/gup.c lets any local user write to read-only memory and rewrite setuid binaries. It sat in the kernel for nine years. Here is how the race actually works, and why "it's only local" was always a lie, especially now that everyone runs containers.