CVE-2022-2585: Use-After-Free Vulnerability in Armed POSIX CPU Timers when Exec'ing from a Non-Leader Thread

The recent discovery of CVE-2022-2585, a use-after-free vulnerability, has put Linux systems at risk when using armed POSIX CPU timers in a non-leader thread. This vulnerability allows an attacker to exploit the use-after-free issue, potentially leading to system crashes, unauthorized access, and information disclosure. This article will discuss the details of the vulnerability, provide code snippets to illustrate the problem, and link to original references for further study.

Background

CVE-2022-2585 is a security vulnerability that affects Linux systems when non-leader threads are executing with armed POSIX CPU timers. The issue occurs when these threads leave the armed timer on a list but free it, leading to a use-after-free vulnerability. This is a critical vulnerability, as use-after-free issues can result in severe consequences, such as memory corruption, system crashes, or unauthorized access.

A non-leader thread refers to a secondary thread that's not the main one running in the process. POSIX (Portable Operating System Interface) timers are a way to measure the time elapsed and provide notification when a specific time is reached. Armed POSIX CPU timers are those timers that have been set and activated to perform their timekeeping function.

Exploit Details

When a non-leader thread exec's in the presence of armed POSIX CPU timers, the timers are left on a list but freed. This causes the memory that held the timer to be reused for other purposes. Consequently, the list contains pointers to free memory, which can be exploited to overwrite the memory. By overwriting memory, an attacker might execute arbitrary code, elevate privileges, or crash the system.

The issue can be demonstrated in the following code snippet

#include <pthread.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>

void *thread_func(void *arg) {
  ...
  timer_t timerid;
  struct sigevent sev;
  struct itimerspec its;
  ...
  // Set up the armed POSIX CPU timer
  sev.sigev_notify = SIGEV_SIGNAL;
  sev.sigev_signo = SIGUSR1;
  timer_create(CLOCK_PROCESS_CPUTIME_ID, &sev, &timerid);
  its.it_value.tv_sec = 1;  // Set timer for 1 second
  timer_settime(timerid, , &its, NULL);
  ...
  // Call exec in the non-leader thread (potential use-after-free)
  execl("/bin/ls", "ls", NULL);

  ...
}

int main(void) {
  pthread_t thread;
  ...
  // Create a non-leader thread
  pthread_create(&thread, NULL, thread_func, NULL);
  ...
  pthread_join(thread, NULL);
  ...
  return ;
}

In this code snippet, a secondary thread is created with a running armed POSIX CPU timer. When the non-leader thread calls execl(), the timer remains on the list but is freed, causing a use-after-free vulnerability.

More information about this vulnerability can be found in the following references

1. Official CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585

2. Linux Kernel Mailing List Thread: https://lkml.org/lkml/2022/2/5/130

Conclusion

CVE-2022-2585 is a critical vulnerability when using armed POSIX CPU timers in a non-leader thread on Linux systems. Developers and system administrators should be aware of this issue and take the necessary precautions to mitigate the risk. Staying informed about security vulnerabilities and applying updates and patches as soon as possible is crucial to maintaining a secure and stable environment.

Timeline

Published on: 01/08/2024 18:15:44 UTC
Last modified on: 01/08/2024 19:05:05 UTC