Bug 2127927 (CVE-2022-3238)
| Summary: | CVE-2022-3238 kernel: ntfs3 local privledge escalation if NTFS character set and remount and umount called simultaneously | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Alex <allarkin> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, ddepaula, debarbos, dhoward, dvlasenk, ezulian, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, steve.beattie, steved, tyberry, vkumar, walters, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-30 13:28:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2137145 | ||
| Bug Blocks: | 2121224 | ||
If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free. The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. Since the 0x10 byte heap is complex, the following exp I have turned off CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed by heap spraying. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2137145] On behalf of reporter, some more information regarding vulnerability from reporter: " If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free . The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. Since the 0x10 byte heap is complex, the following exp I have turned off CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed by heap spraying. - Vulnerability trigger path: [see above] exp I use FUSE + setxattr + getxattr to leak the heap address, then I use io_uring_buffer_tags and ldt_struct to occupy the same heap block, and then I use read_ldt to search memory to find the cred of the process. Finally, write to any address through io_uring_buffer_tags again, and write 0 to process UID and GID to implement LPE. " For the reproducer and information about candidate patch please ask the reporter, e-mail: g1042620637 gmail.com This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3238 |
A flaw double free in the Linux Kernel NTFS3 file system found. If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free . The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. - Vulnerability trigger path: ------remount------ do_mount path_mount do_remount put_fs_context fc->ops->free(fc); ntfs_fs_free put_mount_options kfree(opts->nls_name); ------umount------ kill_block_super generic_shutdown_super ntfs_put_super put_mount_options kfree(opts->nls_name);