Notice that my previous analysis on YuriiCrimson's exploits is their ExploitGSM_6_5 version. I cannot make the ExploitGSM_5_15_to_6_1 version work in the latest kernel in my test environment. However, this does not rule out the possibility that it still works.
And the splash of the ExploitGSM_6_5 exploit is attached to the email. Thanks, Kyle Zeng On Thu, Apr 11, 2024 at 12:25 PM Kyle Zeng <[email protected]> wrote: > > Hi there, > > I just did some preliminary analysis on this. > There are in fact three exploits involved in this. > CVE-2023-6546: https://github.com/Nassim-Asrir/ZDI-24-020/ > jmpe4x's GSM exploit: > https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit > YuriiCrimson's GSM exploit: https://github.com/YuriiCrimson/ExploitGSM > > I tested all of them. All of them targeted the same subsystem (GSM), > used the same KASLR leak method ("/sys/kernel/notes"). But there are > two vulnerabilities involved here. > In short. jmpe4x's and YuriiCrimson's exploits are the same, but the > vulnerability is not CVE-2023-6546. > !!!!!!!!!!!! > It is a 0day that is not patched in the main tree yet. > Not a patch gap. > !!!!!!!!!!!! > > My analysis is performed on the latest commit of Linus's tree: > ``` > commit e8c39d0f57f358950356a8e44ee5159f57f86ec5 (HEAD -> master, > origin/master, origin/HEAD) > Merge: 03a55b63919 325f3fb551f > Author: Linus Torvalds <[email protected]> > Date: Wed Apr 10 19:48:05 2024 -0700 > ``` > > And jmpe4x's and YuriiCrimson's are exactly the same. The difference > is mostly spaces. The diff is attached to this email. > > Thanks, > Kyle Zeng > > > On Thu, Apr 11, 2024 at 8:07 AM Dr. Christopher Kunz > <[email protected]> wrote: > > > > Hi, > > > > > There are two exploits in Yurii's repo above, according to Yurii for two > > > different bugs. The above is one of them. Perhaps also try the other? > > The two exploit versions are for different kernels. The 6.5 exploit > > doesn't compile on the Debian 12 6.1 kernel, and no Debian version > > currently distributes a 6.5 kernel, AFAICT. I used > > ExploitGSM_5_15_to_6_1/ExploitGSM and it worked. > > > I don't know, and apparently it'd need to be two CVEs for two bugs that > > > Yurii exploits. > > Possibly. I'm definitely out of my depth trying to analyze which bugs > > are being exploited. > > > CVE-2023-52564: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" > > > https://lists.openwall.net/linux-cve-announce/2024/03/02/54 > > > > > > Maybe CVE-2023-52564 is one of the bugs Yurii exploits, or maybe not. > > > I didn't look into this closely enough to tell. > > > > Apparently not. Debian 12 "Bookworm" currently runs this kernel: > > > > Linux debianexploitgsm 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian > > 6.1.76-1 (2024-02-01) x86_64 GNU/Linux > > > > According to the changelog, this kernel has the fix for CVE-2023-52564 > > included: > > - Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" > > (from > > https://metadata.ftp-master.debian.org/changelogs//main/l/linux-signed-amd64/linux-signed-amd64_6.1.76+1_changelog) > > > > Still, the exploit works, so it must exploit a different issue. > > > > Just my two cents, > > > > --cku > >
[ 19.494208] ================================================================== [ 19.494876] BUG: KASAN: slab-use-after-free in gsm_dlci_config+0xf8e/0x1030 [ 19.495509] Read of size 4 at addr ffff88800be3800c by task ExploitGSM/215 [ 19.496102] [ 19.496253] CPU: 3 PID: 215 Comm: ExploitGSM Not tainted 6.9.0-rc3+ #76 [ 19.496785] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 19.497228] Call Trace: [ 19.497367] <TASK> [ 19.497483] dump_stack_lvl+0x1ab/0x260 [ 19.497702] print_report+0xce/0x610 [ 19.497898] ? gsm_dlci_config+0xf8e/0x1030 [ 19.498124] ? kasan_complete_mode_report_info+0x7c/0x200 [ 19.498407] ? gsm_dlci_config+0xf8e/0x1030 [ 19.498636] kasan_report+0xb9/0xf0 [ 19.498826] ? gsm_dlci_config+0xf8e/0x1030 [ 19.499050] __asan_report_load4_noabort+0x14/0x20 [ 19.499312] gsm_dlci_config+0xf8e/0x1030 [ 19.499533] ? __pfx_gsm_dlci_config+0x10/0x10 [ 19.499771] ? __pfx_autoremove_wake_function+0x10/0x10 [ 19.500050] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 19.500334] gsmld_ioctl+0x102f/0x1740 [ 19.500537] ? __pfx_gsmld_ioctl+0x10/0x10 [ 19.500756] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 19.501034] ? ldsem_down_read+0xc1/0x6f0 [ 19.501251] ? __sanitizer_cov_trace_switch+0x54/0xa0 [ 19.501513] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 19.501798] ? __sanitizer_cov_trace_switch+0x54/0xa0 [ 19.502061] tty_ioctl+0x7a2/0x1620 [ 19.502249] ? __pfx_gsmld_ioctl+0x10/0x10 [ 19.502468] ? __pfx_tty_ioctl+0x10/0x10 [ 19.502676] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 19.502930] ? fpregs_assert_state_consistent+0x8b/0xf0 [ 19.503200] ? syscall_exit_to_user_mode+0x93/0x1f0 [ 19.503456] ? do_syscall_64+0x87/0x120 [ 19.503660] ? __fget_light+0x198/0x560 [ 19.503866] ? security_file_ioctl+0x99/0xc0 [ 19.504095] ? __pfx_tty_ioctl+0x10/0x10 [ 19.504306] __x64_sys_ioctl+0x1b4/0x230 [ 19.504510] x64_sys_call+0x1206/0x20b0 [ 19.504710] do_syscall_64+0x7b/0x120 [ 19.504898] ? __kasan_check_write+0x14/0x20 [ 19.505118] ? _raw_spin_lock_irq+0xb0/0x160 [ 19.505355] ? __kasan_check_write+0x14/0x20 [ 19.505587] ? recalc_sigpending+0x1ac/0x250 [ 19.505825] ? __set_task_blocked+0xaf/0x220 [ 19.506049] ? _raw_spin_unlock_irq+0x3a/0xa0 [ 19.506819] ? sigprocmask+0x10e/0x390 [ 19.507265] ? __pfx_sigprocmask+0x10/0x10 [ 19.507566] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 19.507940] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 19.508296] ? __x64_sys_rt_sigprocmask+0x224/0x2f0 [ 19.508618] ? __pfx___x64_sys_rt_sigprocmask+0x10/0x10 [ 19.508971] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 19.509309] ? fpregs_assert_state_consistent+0x8b/0xf0 [ 19.509671] ? syscall_exit_to_user_mode+0x93/0x1f0 [ 19.509998] ? do_syscall_64+0x87/0x120 [ 19.510274] ? clear_bhb_loop+0x15/0x70 [ 19.510542] ? clear_bhb_loop+0x15/0x70 [ 19.510804] ? clear_bhb_loop+0x15/0x70 [ 19.511060] ? clear_bhb_loop+0x15/0x70 [ 19.511333] ? clear_bhb_loop+0x15/0x70 [ 19.511587] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.511910] RIP: 0033:0x45729f [ 19.512129] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ 19.513192] RSP: 002b:00007f1715600150 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 19.513611] RAX: ffffffffffffffda RBX: 00007f1715600640 RCX: 000000000045729f [ 19.514008] RDX: 00007ffec2d9523c RSI: 0000000040384708 RDI: 0000000000000006 [ 19.514401] RBP: 00007f17156001d0 R08: 0000000000000000 R09: 00007ffec2d94e5f [ 19.514776] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f1715600640 [ 19.515170] R13: 0000000000000016 R14: 000000000041e0c0 R15: 00007f1714e00000 [ 19.515566] </TASK> [ 19.515698] [ 19.515796] Allocated by task 214: [ 19.515990] kasan_save_stack+0x28/0x50 [ 19.516207] kasan_save_track+0x14/0x40 [ 19.516427] kasan_save_alloc_info+0x38/0x50 [ 19.516672] __kasan_kmalloc+0xb1/0xc0 [ 19.516890] kmalloc_trace+0x180/0x3b0 [ 19.517100] gsm_dlci_alloc+0x50/0x810 [ 19.517321] gsmld_ioctl+0x1404/0x1740 [ 19.517540] tty_ioctl+0x7a2/0x1620 [ 19.518068] __x64_sys_ioctl+0x1b4/0x230 [ 19.518349] x64_sys_call+0x1206/0x20b0 [ 19.518609] do_syscall_64+0x7b/0x120 [ 19.518859] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.519194] [ 19.519302] Freed by task 211: [ 19.519516] kasan_save_stack+0x28/0x50 [ 19.519789] kasan_save_track+0x14/0x40 [ 19.520046] kasan_save_free_info+0x3b/0x60 [ 19.520276] poison_slab_object+0x10e/0x190 [ 19.520513] __kasan_slab_free+0x34/0x60 [ 19.520734] kfree+0xfa/0x2e0 [ 19.520909] gsm_dlci_free+0x11d/0x170 [ 19.521130] tty_port_put+0x172/0x1e0 [ 19.521340] gsm_cleanup_mux+0x33a/0x860 [ 19.521562] gsmld_ioctl+0x558/0x1740 [ 19.521802] tty_ioctl+0x7a2/0x1620 [ 19.522007] __x64_sys_ioctl+0x1b4/0x230 [ 19.522240] x64_sys_call+0x1206/0x20b0 [ 19.522458] do_syscall_64+0x7b/0x120 [ 19.522660] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.522942] [ 19.523031] The buggy address belongs to the object at ffff88800be38000 [ 19.523031] which belongs to the cache kmalloc-1k of size 1024 [ 19.523702] The buggy address is located 12 bytes inside of [ 19.523702] freed 1024-byte region [ffff88800be38000, ffff88800be38400) [ 19.524385] [ 19.524473] The buggy address belongs to the physical page: [ 19.524780] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbe38 [ 19.525221] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.525614] flags: 0xfffffe0000840(slab|head|node=0|zone=1|lastcpupid=0x3fffff) [ 19.526038] page_type: 0xffffffff() [ 19.526244] raw: 000fffffe0000840 ffff888001042dc0 dead000000000122 0000000000000000 [ 19.526661] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 19.527087] head: 000fffffe0000840 ffff888001042dc0 dead000000000122 0000000000000000 [ 19.527512] head: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 19.527910] head: 000fffffe0000003 ffffea00002f8e01 ffffea00002f8e48 00000000ffffffff [ 19.528341] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 19.528939] page dumped because: kasan: bad access detected [ 19.529409] [ 19.529509] Memory state around the buggy address: [ 19.529840] ffff88800be37f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.530310] ffff88800be37f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.530774] >ffff88800be38000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.531214] ^ [ 19.531436] ffff88800be38080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.531890] ffff88800be38100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.532324] ================================================================== [ 19.532796] Disabling lock debugging due to kernel taint
