Bug 2127927 (CVE-2022-3238) - CVE-2022-3238 kernel: ntfs3 local privledge escalation if NTFS character set and remount and umount called simultaneously
Summary: CVE-2022-3238 kernel: ntfs3 local privledge escalation if NTFS character set ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-3238
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2137145
Blocks: 2121224
TreeView+ depends on / blocked
 
Reported: 2022-09-19 11:58 UTC by Alex
Modified: 2023-01-11 07:45 UTC (History)
54 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-11-30 13:28:05 UTC


Attachments (Terms of Use)

Description Alex 2022-09-19 11:58:36 UTC
A flaw double free in the Linux Kernel NTFS3 file system found.
If a character set is set for the NTFS3 file system at mount time, then
remount and umount will release character set strings twice. Due to the
system string length limit, these strings can be allocated up to 0x10 bytes
of memory, so they can have a 0x10 byte double free .

The mount file system operation requires CAP_SYS_ADMIN, so you must also
have this permission to exploit this vulnerability.

  -

   Vulnerability trigger path:

------remount------
do_mount
    path_mount
        do_remount
            put_fs_context
                fc->ops->free(fc);
                ntfs_fs_free
                    put_mount_options
                        kfree(opts->nls_name);

------umount------
kill_block_super
    generic_shutdown_super
        ntfs_put_super
            put_mount_options
                kfree(opts->nls_name);

Comment 3 Alex 2022-10-23 19:11:32 UTC
If a character set is set for the NTFS3 file system at mount time, then
remount and umount will release character set strings twice. Due to the
system string length limit, these strings can be allocated up to 0x10 bytes
of memory, so they can have a 0x10 byte double free.

The mount file system operation requires CAP_SYS_ADMIN, so you must also
have this permission to exploit this vulnerability.

Since the 0x10 byte heap is complex, the following exp I have turned off
CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed
by heap spraying.

Comment 6 Alex 2022-10-23 19:35:09 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2137145]

Comment 7 Alex 2022-11-14 12:46:48 UTC
On behalf of reporter, some more information regarding vulnerability from reporter:

"
If a character set is set for the NTFS3 file system at mount time, then
remount and umount will release character set strings twice. Due to the
system string length limit, these strings can be allocated up to 0x10 bytes
of memory, so they can have a 0x10 byte double free .

The mount file system operation requires CAP_SYS_ADMIN, so you must also
have this permission to exploit this vulnerability.

Since the 0x10 byte heap is complex, the following exp I have turned off
CONFIG_SLAB_FREELIST_RANDOM in the kernel, but is actually easily bypassed
by heap spraying.



-

Vulnerability trigger path:
[see above]


exp
I use FUSE + setxattr + getxattr to leak the heap address, then I use
io_uring_buffer_tags and ldt_struct to occupy the same heap block, and then
I use read_ldt to search memory to find the cred of the process. Finally,
write to any address through io_uring_buffer_tags again, and write 0 to
process UID and GID to implement LPE.
"

For the reproducer and information about candidate patch please ask the reporter, e-mail: g1042620637 gmail.com

Comment 8 Product Security DevOps Team 2022-11-30 13:28:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3238


Note You need to log in before you can comment on or make changes to this bug.