One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8289267 |
| Date de publication | 2022-12-08 11:04:18 (vue: 2022-12-08 19:05:55) |
| Titre | Exploiting CVE-2022-42703 - Bringing back the stack attack |
| Texte | Seth Jenkins, Project ZeroThis blog post details an exploit for CVE-2022-42703 (P0 issue 2351 - Fixed 5 September 2022), a bug Jann Horn found in the Linux kernel's memory management (MM) subsystem that leads to a use-after-free on struct anon_vma. As the bug is very complex (I certainly struggle to understand it!), a future blog post will describe the bug in full. For the time being, the issue tracker entry, this LWN article explaining what an anon_vma is and the commit that introduced the bug are great resources in order to gain additional context.Setting the sceneSuccessfully triggering the underlying vulnerability causes folio->mapping to point to a freed anon_vma object. Calling madvise(..., MADV_PAGEOUT)can then be used to repeatedly trigger accesses to the freed anon_vma in folio_lock_anon_vma_read():struct anon_vma * |
| Envoyé | Oui |
| Condensat | &root &sem &tmp *anon *folio *root *rwc *sem 0x100 2022 2351 42703 512 999 :struct >contended >count >magic >mapping >root >rwsem >try accept access accesses accessible accuracy achieve acquire actively additional additionally addr address address:this addresses advantage aforementioned after again against agnostic ago aligned all allocated allocator allow already also alternatively analyzing anon another any apparent arbitrary are area article associated assuming atomic attack attacker attackers attempt available avoiding back base became because been before behaves being between bias bit bits blog both bottom breakpoint breakpoints brief bringing broad buffer buffers bug but bypass byte bytes cache call calling calls can cannot case cause causes causing cea certain certainly chain changes channel channels chose chosen cmpxchg code commit completing complex comprehensively compromised conclusionthis condition consequently consistently constantly constrained contents context continue control controlled controlling cookie copy copying correctly corrupt corruptible corrupting corruption corruptionthe corruption…on could count; counter cpu cpuid cpus current cve dangling daniel data debug decision deeply defeat defensive defines demonstrated demonstrates depending describe described designed details detection determine determining develop different difficult directly disabled discovered discussed documentation documented does doing don down dramatically drops due during each easy edge edit effect effective effectively effort elicit emulate emulated enough enter entries entry environments established even every example examples except exception exceptionally exceptions executed execution exercise existed experience explaining exploit exploitation exploiting failed false fast faster fetches fetching figuring find finds fixed flags flushing folio following follows:fork follows:struct forge found free freed freeing freelist from full function furthermore future fuzzy gain general generate generates generating given good goto gpr great grep gruss handled handler handles happen hardware has have head helpful helpfully here higher highly hit horn how however identification identify illicitly imminent implementation implementationthe implementing implications including increment indeed indefinite inert inline innate instead instruction instructions insufficient int integrity interrupt interrupts introduced intuitive invert issue issues ist its itself jann jenkins journey just kallsyms kaslr kctf kernel kmalloc known kpti lake large latencies later lead leads leaked least left length let lfence like limitations linux list list; local location locations lock lock; long longer low lwn machine made madv madvise make makes management many mapped mapping mapping; mask mcs means meat meltdown memory microarchitectural microarchitectures might minimize minimum missing mitigate mitigating mitigation mitigations mode modern modify more most much multiple myriad namely narrows need needed new newfound noise non none nor not now null; number object objects occurs offset often once one only onto open operating operations optimistic order osq; out out: out; overflow overwrite own owned owner; page pageout parent partial past patch per percpu perform performance performed performing performs peter pipe place plans platforms poc point pointer positives possible post potential powerful practice prctl precise prefetch prefetched prefetchupon presence presently preserve preserved preserving prevent previously primarily primitive primitives probably process processor project proposed protection provided ptrace ptraces purpose pushed queue quite race racy randomization randomized randomizing rarely raw rcu rcx read reader reading reads realm recently reclaim reclaiming regardless regions register registers reliable remains remote repeatedly reporting representative requested resolution resolve resources respective restore restored result resulting results retired return returned returns reverted rmap root rop routines run running rwc rwse |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.