Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())

We discussed this vulnerability as part of our weekly podcast on 24 November 2021

Race UAF in the Linux kernel. The issue is the SO_PEERCRED and SO_PEERGROUPS socket options don’t maintain ownership / lock when copying sk->sk_peer_cred to userspace. Other areas that use (or free) sk_peer_cred, such as unix stream connect and unix listen paths, can free the sk_peer_cred object before or while it’s being copied. This leads to information disclosure via UAF read. It’s theoretically possible to also obtain an out of bounds write to userspace memory via SO_PEERGROUPS, but Jann Horn notes that path wouldn’t be viable for LPE, as an attacker wouldn’t have the necessary privileges to switch out the sk_peer_cred on that socket.