Detected a bug in the Linux garbage collector that could lead to privilege escalation 

systemd vulnerability

Few days ago Jann Horn of the Google Project Zero team, who previously identified the Specter and Meltdown vulnerabilities, unveiled a technique to exploit a vulnerability found in the Linux kernel garbage collector (CVE-2021-4083).

Vulnerability is caused by a race condition when unix socket file descriptors are cleaned and potentially allows an unprivileged local user to execute your code at the kernel level.

The problem is interesting because the time window during which the race condition occurs was assessed as too small to create real vulnerabilities, but the author of the study showed that even initially skeptical vulnerabilities can become a source of real attacks if the creator of the vulnerability has the necessary skills and time.

Yann Horn showed how, with the help of filigree manipulations, it is possible to reduce the condition A race event that occurs when calling the close() and fget() functions at the same time to a fully exploited use-after-free vulnerability and gaining access to an already freed data structure within the kernel.

A race condition occurs during the process of closing a file descriptor while calling the close() and fget() functions at the same time. The call to close() can be executed before fget() is executed, which will confuse the item collector unused because, according to refcount, the file structure will have no external references, but will remain attached to the file descriptor, i.e. the garbage collector will assume that it has exclusive access to the structure, but in fact for a short period of time, the remaining entry in the file descriptor table will continue to indicate that the structure is being freed.

To increase the probability entering a race condition, several tricks were used that allowed to increase the probability of success of the holding at 30% when performing specific system optimizations. For example, to increase the access time to a structure with file descriptors by several hundred nanoseconds, the data was flushed out of the processor cache by polluting the cache with activity on another CPU core, which made it possible to return the structure from memory and not the CPU's fast cache.

The second important feature was the use of interrupts generated by a hardware timer to increase the race time. The timing was chosen so that the interrupt handler would fire during the occurrence of the race condition and interrupt code execution for a while. To further delay the return of control, epoll generated around 50 thousand entries in the queue, which required an iteration in the interrupt handler.

The technique vulnerability exploitation was disclosed after a 90-day non-disclosure period. The problem

and it was fixed in early December. The fix was included in the 5.16 kernel and also moved to the LTS branches of the kernel and the packages with the kernel supplied in the distributions. It should be noted that the vulnerability was identified during analysis of a similar issue CVE-2021-0920, which manifests itself in the garbage collector when processing the MSG_PEEK flag.

Another vulnerability that was found recently in the Linux kernel, it was the CVE-2022-0742 which can exhaust available memory and remotely cause a denial of service by sending specially crafted icmp6 packets. The issue is related to a memory leak that occurs when processing ICMPv6 messages with types 130 or 131.

The problem has been present since kernel 5.13 and was fixed in versions 5.16.13 and 5.15.27. The issue did not affect Debian, SUSE, Ubuntu LTS (18.04, 20.04) and RHEL stable branches, it was fixed on Arch Linux.

Finally if you are interested in knowing more about it of the note, you can check the details in the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.