frank2.net

Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings

Published by Frank Solli on

GRsecurity and CVE-2016-0728

Frank Solli

This is just a small note on defence in depth with Grsecurity, with a note on CVE-2016-0728 – Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings.

From the kernel manual for GRsec:



By saying Y here the kernel will detect and prevent overflowing
various (but not all) kinds of object reference counters. Such
overflows can normally occur due to bugs only and are often, if
not always, exploitable.

The tradeoff is that data structures protected by an overflowed
refcount will never be freed and therefore will leak memory. Note
that this leak also happens even without this protection but in
that case the overflow can eventually trigger the freeing of the
data structure while it is still being used elsewhere, resulting
in the exploitable situation that this feature prevents.

Since this has a negligible performance impact, you should enable
this feature.



$ uname -r
4.1.7-grsec

frank@sh02:/tmp$ ./cve20160728 1747934f uid=1004, euid=1004 Increfing… Killed

The exploit is killed and logged.

Jan 22 16:48:31 sh02 kernel: [18289999.002140] PAX: From IP.ADDRESS: refcount overflow detected in: cve20160728:26626, uid/euid: 1004/1004 Jan 22 16:48:31 sh02 kernel: [18289999.004656] CPU: 1 PID: 26626 Comm: cve20160728 Tainted: G E 4.1.7-grsec #3 Jan 22 16:48:31 sh02 kernel: [18289999.005925] task: ffff88007c4a3750 ti: ffff88007c4a3a38 task.ti: ffff88007c4a3a38 Jan 22 16:48:31 sh02 kernel: [18289999.007154] RIP: e030:[] [] preparecreds+0xa0/0x120 Jan 22 16:48:31 sh02 kernel: [18289999.008448] RSP: e02b:ffffc900462bbd98 EFLAGS: 00000a16 Jan 22 16:48:31 sh02 kernel: [18289999.009727] RAX: ffff880078f37480 RBX: ffff88000f5d39c0 RCX: 0000000000000000 Jan 22 16:48:31 sh02 kernel: [18289999.010948] RDX: 0000000000000000 RSI: ffff88007c124a68 RDI: ffff88000f5d3a68 Jan 22 16:48:31 sh02 kernel: [18289999.012135] RBP: ffffc900462bbda8 R08: 0000000000018080 R09: ffffffff8109f5d6 Jan 22 16:48:31 sh02 kernel: [18289999.013315] R10: 0000000000000000 R11: 0000000000000008 R12: ffff88007c1249c0 Jan 22 16:48:31 sh02 kernel: [18289999.014511] R13: ffff880079940d08 R14: 00006d77dcc9cfd9 R15: 00006d77dcf607a0 Jan 22 16:48:31 sh02 kernel: [18289999.015668] FS: 00006d77dd36f700(0000) GS:ffff88007d100000(0000) knlGS:0000000000000000 Jan 22 16:48:31 sh02 kernel: [18289999.016930] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b Jan 22 16:48:31 sh02 kernel: [18289999.018193] CR2: 0000717b8545c000 CR3: 0000000072cea000 CR4: 0000000000002660 Jan 22 16:48:31 sh02 kernel: [18289999.019306] Stack: Jan 22 16:48:31 sh02 kernel: [18289999.020383] ffff880079940d08 00007554244a3af9 ffffc900462bbdf8 ffffffff8132c8fe Jan 22 16:48:31 sh02 kernel: [18289999.021492] 00006d77dcc9cfd9 00006d77dcf607a0 ffffc900462bbdf8 ffff880079940d08 Jan 22 16:48:31 sh02 kernel: [18289999.022764] 00007554244a3af9 00006d77dcf607a0 00006d77dcc9cfd9 00006d77dcf607a0 Jan 22 16:48:31 sh02 kernel: [18289999.024144] Call Trace: Jan 22 16:48:31 sh02 kernel: [18289999.025188] [] joinsessionkeyring+0x1e/0x180 Jan 22 16:48:31 sh02 kernel: [18289999.026269] [] keyctljoinsessionkeyring+0x34/0x60 Jan 22 16:48:31 sh02 kernel: [18289999.027295] [] SySkeyctl+0x208/0x220 Jan 22 16:48:31 sh02 kernel: [18289999.028304] [] systemcallfastpath+0x16/0x89 Jan 22 16:48:31 sh02 kernel: [18289999.029289] Code: c0 74 12 f0 ff 80 d8 00 00 00 71 09 f0 ff 88 d8 00 00 00 cd 04 48 8b 83 80 00 00 00 48 85 c0 74 0a f0 ff 00 71 05 f0 ff 08 cd 04 8b 43 60 48 85 c0 74 0a f0 ff 00 71 05 f0 ff 08 cd 04 48 8b Jan 22 16:48:31 sh02 kernel: [18289999.032426] PAX: From IP.ADDRESS: refcount overflow detected in: cve20160728:26626, uid/euid: 1004/1004 Jan 22 16:48:31 sh02 kernel: [18289999.034473] CPU: 1 PID: 26626 Comm: cve20160728 Tainted: G E 4.1.7-grsec #3 Jan 22 16:48:31 sh02 kernel: [18289999.035612] task: ffff88007c4a3750 ti: ffff88007c4a3a38 task.ti: ffff88007c4a3a38 Jan 22 16:48:31 sh02 kernel: [18289999.036594] RIP: e030:[] [] findkeyringbyname+0x115/0x180 Jan 22 16:48:31 sh02 kernel: [18289999.038658] RSP: e02b:ffffc900462bbd78 EFLAGS: 00000a16 Jan 22 16:48:31 sh02 kernel: [18289999.039713] RAX: 0000000000000000 RBX: ffff880078f37480 RCX: 000000007fffffff Jan 22 16:48:31 sh02 kernel: [18289999.040654] RDX: 000000007fffffff RSI: ffff88007c1249c0 RDI: ffff880078f37480 Jan 22 16:48:31 sh02 kernel: [18289999.041587] RBP: ffffc900462bbda8 R08: 0000000000017660 R09: ffff880072d828e8 Jan 22 16:48:31 sh02 kernel: [18289999.042520] R10: ffffffff81370f0e R11: 0000000000000008 R12: ffffffff8236ca70 Jan 22 16:48:31 sh02 kernel: [18289999.043421] R13: ffff880079940d08 R14: 0000000000000000 R15: ffff88007c4a3750 Jan 22 16:48:31 sh02 kernel: [18289999.044307] FS: 00006d77dd36f700(0000) GS:ffff88007d100000(0000) knlGS:0000000000000000 Jan 22 16:48:31 sh02 kernel: [18289999.045184] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b Jan 22 16:48:31 sh02 kernel: [18289999.046066] CR2: 0000717b8545c000 CR3: 0000000072cea000 CR4: 0000000000002660 Jan 22 16:48:31 sh02 kernel: [18289999.046913] Stack: Jan 22 16:48:31 sh02 kernel: [18289999.047767] ffff88007c1249c0 ffff880079940d08 ffff88000f5d39c0 ffff880079940d08 Jan 22 16:48:31 sh02 kernel: [18289999.048645] 00006d77dcc9cfd9 ffff88007c1249c0 ffffc900462bbdf8 ffffffff8132c939 Jan 22 16:48:31 sh02 kernel: [18289999.049524] 00006d77dcc9cfd9 00006d77dcf607a0 ffffc900462bbdf8 ffff880079940d08 Jan 22 16:48:31 sh02 kernel: [18289999.050549] Call Trace: Jan 22 16:48:31 sh02 kernel: [18289999.051540] [] joinsessionkeyring+0x59/0x180 Jan 22 16:48:31 sh02 kernel: [18289999.052449] [] keyctljoinsessionkeyring+0x34/0x60 Jan 22 16:48:31 sh02 kernel: [18289999.053348] [] SySkeyctl+0x208/0x220 Jan 22 16:48:31 sh02 kernel: [18289999.054274] [] systemcallfastpath+0x16/0x89 Jan 22 16:48:31 sh02 kernel: [18289999.055152] Code: 18 49 8b b7 e0 03 00 00 ba 08 00 00 00 48 89 df e8 41 25 00 00 85 c0 78 95 8b 13 85 d2 74 8f 89 d1 83 c1 01 71 05 83 e9 01 cd 04 d0 f0 0f b1 0b 39 c2 75 4a e8 fc 31 dc ff 48 89 43 60 f0 81

The second is TPE:


If you say Y here, you will be able to choose a gid to add to the supplementary groups of users you want to mark as “untrusted.” These users will not be able to execute any files that are not in root-owned directories writable only by root. If the sysctl option is enabled, a sysctl option with name “tpe” is created

The exploit attempt is stopped by TPE and logged.

[Fri Jan 22 03:50:48 2016] grsec: From IP.ADDRESS: denied untrusted exec (due to being in untrusted group and file in world-writable directory) of /tmp/cve20160728 by /tmp/cve20160728 uid/euid:1017/1017 gid/egid:1017/1017, parent /bin/bash uid/euid:1017/1017 gid/egid:1017/1017

So, here we have two ways to prevent this exploit with grsec, thanks!

Tags: grsec,exploit,0day.