Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
XNU VM copy-on-write bypass due to incorrect shadow creation logic during unaligned vm_map_copy operations
Ian Beer - Project Zero (P0)Posted 3 Years AgoCopy on Writeis functionality in the Linux kernel for only remapping memory once it has been written to after a fork. This is a major optimization, since forked code can reuse memory from other processes. The copy only occurs only a write to the address space occurs.- The function
vm_map_copy_overwritehandles large copies with two different routes: unaligned and aligned. With the unaligned route, the extra condition checks whether the mapping isVM_PROT_WRITE. If this is true, it will create a shadow copy of the page only once it is writable. - The condition of
VM_PROT_WRITEshould NOT be possible, with this code being later in the chain. The usage ofneeds_copyandVM_PROT_WRITEshould not b possible. However, this can be raced! If we change the page mapping back fromVM_PROT_WRITEafter the verification in the upper code path but BEFORE the shadow copy call, we can hit this condition. - How can we exploit this?
- Start a privileged process.
- Fork from the process with readable regions, such as the code sections.
- Use the vulnerability above with unaligned mappings to make the address mappings editable.
- Edit the code from the privileged process! This can be used to get root relatively easy I would guess.
- Overall, I love this vulnerability. This is a major memory corruption vulnerability that would have NOT been picked up by Rust, since the page mappings are a logic bug. A good explanation of this can be found at DayZeroSec as well.
