so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation

We successfully exploited this vulnerability to obtain full root privileges on default installations of Ubuntu 20.04.

  1. Among all these *_OR_NULL types, we choose PTR_TO_MEM_OR_NULL which can be created by BPF_FUNC_ringbuf_reserve. First, we pass 0xffff……..ffff to BPF_FUNC_ringbuf_reserve to get a NULL pointer r0, and copy r0 to r1. Then add r1 by 1, and do NULL check on r0. At this point, the verifier will believe that both r0 and r1 are zero.
  2. ALU sanitation is hardened after commit “bpf: Fix leakage of uninitialized bpf stack under speculation”. To bypass alu sanitation, we use helper func bpf_skb_load_bytes_* to get partial/full overwrite the pointer on stack to obtain pointer address leakage and arbitrary address read/write.
  3. We spawn many child processes, and use arbitrary address read to find the address of task_struct and cred around the the address of the array map we created. After zeroing out the uid/gid/… , full root privileges obtained. CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation | Chinese writeup