A vulnerability (CVE-2024-0582) has been identified in the asynchronous io_uring I/O interface provided by the Linux kernel, which allows an unprivileged user to gain root rights in the system. Normal local access to the system is sufficient to exploit the vulnerability, without the need for manipulating namespaces. Currently, a working exploit is publicly available, and the second technique for exploiting the vulnerability is described in detail.
The vulnerability is caused by an access to an already released block of memory (use-after-free) in the io_uring subsystem, which occurs when registering and freeing a ring buffer created with the IORING_REGISTER_PBUF_RING flag. If an mmap () operation is applied to the buffer, it remains reflected in user space after the release operation (IORING_UNREGISTER_PBUF_RING) is performed. Using this feature, an attacker can read and write data to memory pages returned to the kernel's memory allocation system.
The problem has been occurring since the release of the Linux 6.4 kernel and was fixed in releases 6.7 and 6.6.5, as well as in the 6.5.0-21 kernel package prepared for Ubuntu 22.04 and 23.10. It is noteworthy that the problem was fixed in the main kernel in December 2023, the Google Zero project opened access to an error message signaling the presence of a vulnerability January 8, and the package with the patched 6.5 kernel for Ubuntu was formed only on February 22, 2024.
The first exploit manipulates the creation of a large number of memory pages controlled by the attacker to determine the memory layout in the kernel and access neighboring physical memory pages, using the contents of network socket structures filled in in a certain way as beacons. To run the code, the exploit uses a "gadget" (a sequence of instructions existing in the kernel), which leads to the execution of the call_usermodehelper_exec function, designed to launch processes in user space from the kernel.
The second exploit is based on the fact that when all slab blocks in the cache are exhausted (for example, when opening a file many times), the free memory pages that the attacker still has access to are used by the memory allocation system to create a new slab block, and all new file structures begin to be placed in this block. Accordingly, some file structures will fall into memory pages that can be read and written by the attacker. Operation in this case boils down to organizing getting into the file cache of the desired file and replacing the f_mode field defining access rights in the associated file structures, which allows you to make the desired system file writable, for example, /etc/passwd.
The vulnerability is caused by an access to an already released block of memory (use-after-free) in the io_uring subsystem, which occurs when registering and freeing a ring buffer created with the IORING_REGISTER_PBUF_RING flag. If an mmap () operation is applied to the buffer, it remains reflected in user space after the release operation (IORING_UNREGISTER_PBUF_RING) is performed. Using this feature, an attacker can read and write data to memory pages returned to the kernel's memory allocation system.
The problem has been occurring since the release of the Linux 6.4 kernel and was fixed in releases 6.7 and 6.6.5, as well as in the 6.5.0-21 kernel package prepared for Ubuntu 22.04 and 23.10. It is noteworthy that the problem was fixed in the main kernel in December 2023, the Google Zero project opened access to an error message signaling the presence of a vulnerability January 8, and the package with the patched 6.5 kernel for Ubuntu was formed only on February 22, 2024.
The first exploit manipulates the creation of a large number of memory pages controlled by the attacker to determine the memory layout in the kernel and access neighboring physical memory pages, using the contents of network socket structures filled in in a certain way as beacons. To run the code, the exploit uses a "gadget" (a sequence of instructions existing in the kernel), which leads to the execution of the call_usermodehelper_exec function, designed to launch processes in user space from the kernel.
The second exploit is based on the fact that when all slab blocks in the cache are exhausted (for example, when opening a file many times), the free memory pages that the attacker still has access to are used by the memory allocation system to create a new slab block, and all new file structures begin to be placed in this block. Accordingly, some file structures will fall into memory pages that can be read and written by the attacker. Operation in this case boils down to organizing getting into the file cache of the desired file and replacing the f_mode field defining access rights in the associated file structures, which allows you to make the desired system file writable, for example, /etc/passwd.
