Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

[tr3e wang <tr3e.wang () gmail com>]

Hi,

The exploit code can be found at https://github.com/tr3ee/CVE-2021-4204

Alexander, thanks for the update and for helping me post the exploit
code, I suffered from network outage last week.

tr3e

On Sun, Jun 5, 2022 at 4:22 AM Solar Designer <solar () openwall com> wrote:
> Hi,
>
> I've attached the exploit from the linux-distros thread - hopefully, the
> right one.  (I really shouldn't be the one doing it.  The exploit author
> is most qualified to do it, as required by linux-distros list policy.)
>
> Alexander
>
> On Wed, Jun 01, 2022 at 02:55:13PM +0200, Solar Designer wrote:
> > Hi,
> >
> > In context of the recent discussions on linux-distros list policies and
> > their enforcement, I looked at some of the previously handled issues,
> > and identified that the below wasn't properly handled/enforced.
> >
> > tr3e, since you had shared actual exploit code with linux-distros, you
> > were supposed to post the _code_ to oss-security within 7 days after
> > your initial public disclosure of the vulnerability.  However, you only
> > posted "the exploit overview" and promised that "Full exploit code will
> > be published on github in the near future."  Apparently, the latter
> > never happened, and it wouldn't have satisfied the requirement anyway.
> >
> > Please post the same exploit code you had shared with linux-distros to
> > this thread on oss-security ASAP.  Thank you!
> >
> > Alexander
> >
> > On Tue, Jan 18, 2022 at 09:26:43PM +0800, tr3e wang wrote:
> > > Hi all,
> > >
> > > This post is the exploit overview of CVE-2021-4202.
> > >
> > > We successfully exploited this vulnerability to obtain full root
> > > privileges on default installations of Ubuntu 20.04.
> > >
> > > *Exploit overview*
> > >
> > > 1. We create a lot of BPF ringbufs, and choose one of them as victim.
> > >    The BPF_FUNC_ringbuf_reserve allow us to have a pointer A to the
> > >    beginning of the victim ringbuf's data field.
> > >
> > > 2. We do a pointer subtraction to point back to the victim ringbuf's
> > >    mask field and overwrite it to 0x80000fff through
> > > BPF_FUNC_ringbuf_submit.
> > >    This allows us to do a limited out-of-bounds read/write. If lucky,
> > >    we can read/write all the fields of the ringbuf behind the victim.
> > >
> > > 3. With the full control over all fields of the ringbuf behind the
> > >    victim, we can manipulate the ringbuf to achieve a restricted
> > >    address read/write with side effects in the vmalloc space.
> > >
> > > 4. We spawn many child processes, and use restricted address read to
> > >    find the address of task_struct and cred in the vmalloc space.
> > >    After zeroing out the uid/gid/... , full root privileges obtained.
> > >
> > > Full exploit code will be published on github in the near future.
> > >
> > > Regards,
> > > tr3e