CVE-2022-2590: Linux kernel privilege escalation vulnerability

CVE-2022-2590

A newly discovered flaw that affects the Linux kernel can be leveraged to write malicious code directly into processes.

Tracked as CVE-2022-2590, the vulnerability allows a local, unprivileged attacker to gain write access to read-only memory mappings, increasing their privileges on the system through handling the copy-on-write (COW) breakage of private read-only shared memory mappings.

An unprivileged user can modify the file content of a shmem (tmpfs) file, even if that user does not have write permissions to the underlying file. The file could be an executable and similar consideration as for Dirty COW (CVE-2016-5195) should apply.

Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it’s sufficient to revert the problematic commit, which is possible with minor contextual conflicts.

“Right now, it would be sufficient to have some code that sets a PTE of a R/O-mapped shared page dirty, in order for it to erroneously become writable by FOLL_FORCE. The implications of setting a write-protected PTE dirty might not be immediately obvious to everyone,read the kernel archive.

And in fact ever since commit 9ae0f87d009c (“mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte”), we can use UFFDIO_CONTINUE to map a shmem page R/O while marking the pte dirty. This can be used by unprivileged user space to modify tmpfs/shmem file content even if the user does not have write permissions to the file — Dirty COW restricted to tmpfs/shmem (CVE-2022-2590).”

The vulnerability allows an attacker to modify any running process that is readable. Even if the process is not readable, they can use cat /proc/{pid}/maps to find if readable ELF modules have been loaded. On Android, the actor can dynamically modify an Android Runtime (ART) process in the same way: as long as the attacker can run an application on a vulnerable device, they can modify a readable process and inject code and control the context of any process.

By leveraging this attack, an actor is no longer limited to only read/write to files but also gains the ability to write code directly to memory. Thus, a successful attack could result in root access without causing a crash or requiring a device reboot.

Update: August 15th

Today, the researcher releases a simple PoC code. When run without arguments, it will test with a memfd that is sealed for writes. Users should upgrade the Linux kernel to upstream, 5.18-stable, and 5.19-stable.