A flaw double free in the Linux Kernel NTFS3 file system found. If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free . The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. - Vulnerability trigger path: ------remount------ do_mount path_mount do_remount put_fs_context fc->ops->free(fc); ntfs_fs_free put_mount_options kfree(opts->nls_name); ------umount------ kill_block_super generic_shutdown_super ntfs_put_super put_mount_options kfree(opts->nls_name);
If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free. The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. Since the 0x10 byte heap is complex, the following exp I have turned off CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed by heap spraying.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2137145]
On behalf of reporter, some more information regarding vulnerability from reporter: " If a character set is set for the NTFS3 file system at mount time, then remount and umount will release character set strings twice. Due to the system string length limit, these strings can be allocated up to 0x10 bytes of memory, so they can have a 0x10 byte double free . The mount file system operation requires CAP_SYS_ADMIN, so you must also have this permission to exploit this vulnerability. Since the 0x10 byte heap is complex, the following exp I have turned off CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed by heap spraying. - Vulnerability trigger path: [see above] exp I use FUSE + setxattr + getxattr to leak the heap address, then I use io_uring_buffer_tags and ldt_struct to occupy the same heap block, and then I use read_ldt to search memory to find the cred of the process. Finally, write to any address through io_uring_buffer_tags again, and write 0 to process UID and GID to implement LPE. " For the reproducer and information about candidate patch please ask the reporter, e-mail: g1042620637 gmail.com
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3238