Linux kernel vma useafterfree via buggy vmacache_flush_all() fastpath local privilege escalation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-09-26 |
Type : local |
Platform : linux
This exploit / vulnerability Linux kernel vma useafterfree via buggy vmacache_flush_all() fastpath local privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15),
Linux has per-task VMA caches that contain up to four VMA pointers for
fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm
sequence number mm->vmacache_seqnum; when the sequence number wraps,
vmacache_flush_all() scans through all running tasks and wipes the
VMA caches of all tasks that share current's mm.
In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide
flushing", first in 3.16), a bogus fastpath was added that skips the
invalidation on overflow if current->mm->mm_users==1. This means that
the following sequence of events triggers a use-after-free:
[A starts as a singlethreaded process]
A: create mappings X and Y (in separate memory areas
far away from other allocations)
A: perform repeated invalidations until
current->mm->vmacache_seqnum==0xffffffff and
current->vmacache.seqnum==0xfffffffe
A: dereference an address in mapping Y that is not
paged in (thereby populating A's VMA cache with
Y at seqnum 0xffffffff)
A: unmap mapping X (thereby bumping
current->mm->vmacache_seqnum to 0)
A: without any more find_vma() calls (which could
happen e.g. via pagefaults), create a thread B
B: perform repeated invalidations until
current->mm->vmacache_seqnum==0xfffffffe
B: unmap mapping Y (thereby bumping
current->mm->vmacache_seqnum to 0xffffffff)
A: dereference an address in the freed mapping Y
(or any address that isn't present in the
pagetables and doesn't correspond to a valid
VMA cache entry)
A's VMA cache is still at sequence number 0xffffffff from before the
overflow. The sequence number has wrapped around in the meantime, back
to 0xffffffff, and A's outdated VMA cache is considered to be valid.
I am attaching the following reproduction files:
vmacache-debugging.patch: Kernel patch that adds some extra logging for
VMA cache internals.
vma_test.c: Reproducer code
dmesg: dmesg output of running the reproducer in a VM
In a Debian 9 VM, I've tested the reproducer against a 4.19.0-rc3+
kernel with vmacache-debugging.patch applied, configured with
CONFIG_DEBUG_VM_VMACACHE=y.
The source code corresponding to the warning, which is triggered because
the VMA cache references a VMA struct that has been reallocated to
another process in the meantime:
#ifdef CONFIG_DEBUG_VM_VMACACHE
if (WARN_ON_ONCE(vma->vm_mm != mm))
break;
#endif
Attaching an ugly exploit for Ubuntu 18.04, kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37. It takes about an hour to run before popping a root shell. Usage: First compile with ./compile.sh, then run ./puppeteer. Example run:
user@ubuntu-18-04-vm:~/vmacache$ ./puppeteer
Do Sep 20 23:55:11 CEST 2018
puppeteer: old kmsg consumed
got map from child!
got WARNING
got RSP line: 0xffff9e0bc2263c60
got RAX line: 0xffff8c7caf1d61a0
got RDI line: 0xffff8c7c214c7380
reached WARNING part 2
got R8 line: 0xffffffffa7243680
trace consumed
offset: 0x110
fake vma pushed
suid file detected, launching rootshell...
we have root privs now...
Fr Sep 21 00:48:00 CEST 2018
root@ubuntu-18-04-vm:~/vmacache#
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip
Linux kernel vma useafterfree via buggy vmacache_flush_all() fastpath local privilege escalation