Sam James <[email protected]> writes: > v12-security have shared a new Linux LPE today, PinTheft [0]. > > Quoting their abstract: >> PinTheft is a Linux local privilege escalation exploit for an RDS >> zerocopy double-free that can be turned into a page-cache overwrite >> through io_uring fixed buffers. >> >> PinTheft was discovered with V12 by Aaron Esau of the V12 security >> team. We duped on this bug with some other teams and a patch is >> available so we are releasing our PoC. >> >> The bug lived in the RDS zerocopy send >> path. rds_message_zcopy_from_user() pins user pages one at a time. If >> a later page faults, the error path drops the pages it already pinned, >> and later RDS message cleanup drops them again because the scatterlist >> entries and entry count remain live after the zcopy notifier is >> cleared. Each failed zerocopy send can steal one reference from the first >> page. >> >> The PoC uses io_uring to make that refcount bug useful. It registers >> an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias >> of 1024 references. It then steals those references with failing RDS >> zerocopy sends, frees the page, reclaims it as page cache for a >> SUID-root binary, and uses the stale io_uring fixed-buffer page >> pointer to overwrite that page cache with a small ELF >> payload. Executing the SUID binary drops into a root shell. >> >> Sadly, the RDS kernel module this requires is only default on Arch >> Linux among the common distributions we tested.
While of course I can't know what distros they tested, this does seem to be on in at least Fedora too? https://oracle.github.io/kconfigs/ seems to agree with that. > [...] sam
signature.asc
Description: PGP signature
