/CVE-2022-29968

Exploit PoC for CVE-2022-29968 by Joseph Ravichandran and Michael Wang

Primary LanguageC

CVE-2022-29968

Proof-of-concept exploit for CVE-2022-29968 (uninitialized memory) in the Linux Kernel, specifically the io_uring system.

The crash was found with Syzkaller. The crash was analyzed by Joseph Ravichandran and Michael Wang. The exploit was written by Joseph Ravichandran.

We found & reported this bug as part of the final project for 6.858 at MIT, Spring 2022.

Any kernel after 3e08773c3841 ("block: switch polling to be bio based") and before 32452a3eb8b6 ("io_uring: fix uninitialized field in rw io_kiocb") should be vulnerable to this.

Patch Commit

Our patch commit

Writeup

The writeup we submitted for the 6.858 final project

Exploit

Requirements

  • Since we need to spray pointers to a fake bio struct, SMAP/ SMEP need to be off (or, if you have a kASLR leak, you can use that here)
  • /dev/sr0 needs to be readable by an unprivileged user

Tested in a Busybox install (without KVM) with 128M of RAM:

$QEMU -m 128M -kernel $KERNEL -initrd $INITRD -nographic -append "console=ttyS0 nokaslr no_hash_pointers ftrace_dump_on_oops"

initramfs init:

#!/bin/sh
/bin/busybox --install -s

# Mount required file systems (very useful if you are using ftrace/ debug features)
mount -t proc none /proc
mount -t sysfs sysfs /sys
mount -t tracefs nodev /sys/kernel/tracing
mount -t debugfs none /sys/kernel/debug
mkdir -p /tmp  && mount -t tmpfs tmpfs /tmp
mount -t devtmpfs none /dev

# Setup permissions for sr0
chmod -R 0777 /dev/sr0

# Create a temp file (used by the old userfaultfd approach)
# Not needed for the public exploit
touch /tmp/test

# Switch to non-root user
su attacker

# Run shell
exec sh

# Run shell (except ^C now works)
#exec setsid sh -c 'exec sh </dev/ttyS0 >/dev/ttyS0 2>&1'

Our etc/passwd has a non-root user (attacker) and a root user (root):

attacker:x:1000:1000:Linux User,,,:/home/attacker:/bin/sh
root:x:0:0:root:/tmp:/bin/sh

Kernel was compiled with make defconfig for x86_64 with some extra tracing/ debugging features enabled.

Running it

  1. Compile with make
  2. ./spray
  3. ./exploit