Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())
We discussed this vulnerability during Episode 102 on 23 November 2021
Race UAF in the Linux kernel. The issue is the SO_PEERCRED
and SO_PEERGROUPS
socket options don’t maintain ownership / lock when copying sk->sk_peer_cred
to userspace. Other areas that use (or free) sk_peer_cred
, such as unix stream connect and unix listen paths, can free the sk_peer_cred
object before or while it’s being copied. This leads to information disclosure via UAF read. It’s theoretically possible to also obtain an out of bounds write to userspace memory via SO_PEERGROUPS
, but Jann Horn notes that path wouldn’t be viable for LPE, as an attacker wouldn’t have the necessary privileges to switch out the sk_peer_cred
on that socket.