One Article Review
Accueil - L'article:
Source Google.webp ProjectZero
Identifiant 8221935
Date de publication 2022-08-24 12:08:43 (vue: 2022-11-25 18:05:33)
Titre Racing against the clock -- hitting a tiny kernel race window
Texte TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIG_PREEMPT:use a cache miss to widen the race window a little bitmake a timerfd expire in that window (which will run in an interrupt handler - in other words, in hardirq context)make sure that the wakeup triggered by the timerfd has to churn through 50000 waitqueue items created by epoll Racing one thread against a timer also avoids accumulating timing variations from two threads in each race attempt - hence the title. On the other hand, it also means you now have to deal with how hardware timers actually work, which introduces its own flavors of weird timing variations.Introduction I recently discovered a race condition (https://crbug.com/project-zero/2247) in the Linux kernel. (While trying to explain to someone how the fix for CVE-2021-0920 worked - I was explaining why the Unix GC is now safe, and then got confused because I couldn't actually figure out why it's safe after that fix, eventually realizing that it actually isn't safe.) It's a fairly narrow race window, so I was wondering whether it could be hit with a small number of attempts - especially on kernels that aren't built with CONFIG_PREEMPT, which would make it possible to preempt a thread with another thread, as I described at LSSEU2019. This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. I didn't do a full exploit though, I stopped at getting evidence of use-after-free (UAF) accesses (with the help of a very large file descriptor table and userfaultfd, which might not be available to normal users depending on system configuration) because that's the part I was curious about. This also demonstrates that even very small race conditions can still be exploitable if someone sinks enough time into writing an exploit, so be careful if you dismiss very small race windows as unexploitable or don't treat such issues as security bugs. The UAF reproducer is in our bugtracker.The bug In the UNIX domain socket garbage collection code (which is needed to deal with reference loops formed by UNIX domain sockets that use SCM_RIGHTS 
Envoyé Oui
Condensat #0x1 #0x1a &gc  $0x1          add          jmp         add         add        x0         add        x1         add        x2         b        400680         b        4006a0         ldr        x1         udiv        x0  *  */  /  /*  //  //printf  00000000d190015f:  00000000e00889a7:  00007f547209d740  0010  11b8  alloc  also  and  as  assumes  b  by  call  calls  case  check  close  continue  d  do  dump  eax  ensures  entry  ffffffff812e3df7  fmode  for  had  holds  in  is  kkkkkkkkkkkkkkk  kkkkkkkkkkkkkkkk  kkkklkkkkkkkkkkk  kmem  on  or  path  pin  r10  r12  rax  rcx  rdx  returns  run  shortly  sock  succeeds  syscall  that  the  to  tried  unix  uses  via  was  while  with  won  zzzzzzzz  zzzzzzzzzzzzzzzz *file; *files +#endif +#if +312 +354 /*spin*/; /pselect /sys/devices/system/cpu/cpufreq/policy/scaling 000 0000 0000000000000000 0000000000000001 0000000000000246 0000000000744b35: 0000000000770ee0 000000000d2d371e: 000000000ddd1ced: 0000000035f1d791: 000000005fb18682: 000000006346150b: 000000006dc06746: 0000000072eb8dd2: 00000000794f2935: 0000000080050033 0000000085d6850b: 0000000097454be8: 00000000af71b907: 00000000b5b572a9: 00000000ef9c59c8: 00000001b61f4002 00007f54722cd000 00010202 0010:unix 0018:ffffb789027f7cf0 0920 worked 0x000000002f95c13c 0x00000000d7142451 0x00000000d7142451=0x6b 0x00000000ef9c59c8 0x15 0x6b 0x6b6b6b6b6b6b6b6b: 0x6c 100 100hz 117 11b8:        48 11bc:        48 11c0:        48 11c3:        48 11c7:        48 11cb:        48 11ce:        48 11d1:        48 11d5:        48 11d9:        48 11dc:        48 11e0:        48 11e4:        48 11e7:        eb 1641 2021 2655 300 312 352 39a81eb3a52e239c 400680:        91000442 400684:        91000421 400688:        9ac20820 40068c:        91006800 400690:        91000400 400694:        91000442 400698:        91000421 40069c:        91000442 4006a0:        91000421 4006a0:        91000442 4006a4:        91000421 4006a4:        9ac20820 4006a8:        91006800 4
Tags Tool Guideline
Stories APT 25
Notes ★★
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: