PinTheft Linux LPE

[Sam James <sam () gentoo org>]

v12-security have shared a new Linux LPE today, PinTheft [0].

Quoting their abstract:
> PinTheft is a Linux local privilege escalation exploit for an RDS
> zerocopy double-free that can be turned into a page-cache overwrite
> through io_uring fixed buffers.
>
> PinTheft was discovered with V12 by Aaron Esau of the V12 security
> team. We duped on this bug with some other teams and a patch is
> available so we are releasing our PoC.
>
> The bug lived in the RDS zerocopy send
> path. rds_message_zcopy_from_user() pins user pages one at a time. If
> a later page faults, the error path drops the pages it already pinned,
> and later RDS message cleanup drops them again because the scatterlist
> entries and entry count remain live after the zcopy notifier is
> cleared. Each failed zerocopy send can steal one reference from the first page.
>
> The PoC uses io_uring to make that refcount bug useful. It registers
> an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias
> of 1024 references. It then steals those references with failing RDS
> zerocopy sends, frees the page, reclaims it as page cache for a
> SUID-root binary, and uses the stale io_uring fixed-buffer page
> pointer to overwrite that page cache with a small ELF
> payload. Executing the SUID binary drops into a root shell.
>
> Sadly, the RDS kernel module this requires is only default on Arch
> Linux among the common distributions we tested.

The referenced kernel module is CONFIG_RDS + CONFIG_RDS_TCP. I attached
their PoC too.

[0] https://github.com/v12-security/pocs/tree/09e835b587bf71249775654061ae4c79e92cf430/pintheft

thanks,
sam

Attachment: poc.c
Description:

Attachment: signature.asc
Description: