We successfully exploited this vulnerability to obtain full root privileges on default installations of Ubuntu 20.04.
- Among all these
*_OR_NULL types, we choose
PTR_TO_MEM_OR_NULLwhich can be created by
BPF_FUNC_ringbuf_reserve. First, we pass
BPF_FUNC_ringbuf_reserveto get a NULL pointer r0, and copy r0 to r1. Then add r1 by 1, and do NULL check on r0. At this point, the verifier will believe that both r0 and r1 are zero.
- ALU sanitation is hardened after commit “bpf: Fix leakage of uninitialized bpf stack under speculation”. To bypass alu sanitation, we use helper func
bpf_skb_load_bytes_*to get partial/full overwrite the pointer on stack to obtain pointer address leakage and arbitrary address read/write.
- We spawn many child processes, and use arbitrary address read to find the address of task_struct and cred around the the address of the array map we created. After zeroing out the uid/gid/… , full root privileges obtained. CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation | Chinese writeup
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer