Researchers from Google Project Zero published Vulnerability operation method ( CVE-2020-29661 ) in the implementation of the TiocSpgrp IOCTL handler from the TT-subsystem of the Linux kernel, and Also, the protection mechanisms that could block similar vulnerabilities could also be blocked.
Causeing a product Error was Stranna in the Linux kernel on December 3 of December last year. The problem is manifested in nuclei to version 5.9.13, but most distributions eliminated the problem in the updates of the packages with the kernel, proposed last year ( Debian , rhel , Suse , ubuntu , Fedora , Arch ). Similar vulnerability ( CVE-2020-29660 ) was simultaneously found in the implementation of the IOCTL call TiOCGSID, but It is also universally eliminated.
The problem is caused by an error when setting the locks leading to the racing state in the Drivers / Tty / Tty_jobctrl.c code, which was able to use to create the conditions for referring to memory after its release (use-after-free) operated from the user space through manipulations With IOCT call TiocSpgrp. Worker Explit demonstrated to increase privileges in Debian 10 with kernel 4.19.0 -13-AMD64.
In this case, in the published article the focus is not so much on the technique Creating a working exploit, so much on which tools in the kernel exist to protect against such vulnerabilities. The conclusion is not consolation, methods of type segmentation in a heap and control over the memory appeal after its release are not applied in practice, as they lead to a decrease in performance, and CFI-based protection (Control Flow Integrity), blocking exploits in the later stages of attack, Requires refinement.
When considering what the situation could change the situation in the long run, it allocates the use of advanced static analyzers or the use of languages that ensure safe memory work, such as Rust and C language dialects with advanced annotations (for example, Checked C ), at the stage of assembling the status of locks, objects and pointers. From the defense methods, the activation of the Panic_on_oops mode is also mentioned, the translation of the kernel structures into read-only mode and restricting access to system challenges using the mechanisms such as Seccomp.