Full Report
The bug report CVE-2022-42703 by Jann Horn is a use after free on struct anon_vma in the memory management (MM) subsystem of the Linux kernel. The vulnerability is extremely complex and particular to the subsystem. From reading the bug report, there appears to be an incorrect assumption made on reference counting for VMA objects that trickles down into other portions of code. This bad logic leads to a use after free. By triggering the vulnerability above, the object folio->mapping can get a dangling reference to a anon_vma object. By calling madvise(..., MADV_PAGEOUT), the access on anon_vma can be repeated in the free state. Within the structure, are several pointers. The route the author decided to go down for exploitation was to fill this with addresses and corrupt them. The function down_read_trylock() would corrupt the memory at a chosen address after some primitive hunting. To get this to work though, we need to be able to supply our fake structure. Since anon_vma belongs to its own kmalloc cache, it's not simple to free and reclaim. The author points to a known technique to free all of the objects in the slab page, flush the percpu freelist and cause the virtual memory to get sent back to the regular allocator. With a spray, we can control this. The arbitrary write had constraints on the write that would occur. It would increment the value by 0x100 if the 3 least significant bits and most significant bit were set. In the future, the value will be decremented back down, meaning that this has some limitations. We also don't know the KASLR slide, making this even harder. On x86_64 Linux, when the CPU performs interrupts and exceptions, it will swap a respective stack that is mapped to static and non-randomized virtual addresses. This has been exploited in the past in order to exploit something to not need knowledge of the KASLR slide. What's the game plan then? Force an interrupt to occur. Once this happens, we can use our arbitrary write to corrupt the registers in the stack frame in the kernel context. The author choose to interupt a call to copy_user since the data is controllable and there is a length value in a consistent register (RCX) that we can overwrite. It turns out, that there is an interrupt for hardware breakpoints that is easy to trigger. So, the author wrote code to trigger this exploit method: Setup two processes: X and Y. Y is the original and X will ptrace Y. Set a hardware breakpoint at a known address in Y. Make a large number of uname requests. This is because copy_to_user is throughout. Trigger the breakpoint in the code for Y. This causes the location to be saved for the codes stack frame. Slightly after the frame is saved, use the UAF to write to process Y's stack frames saved length value. The technique above works for reading out too much data. For reading a stack buffer to userland, this can be used to defeat the KASLR slide and stack cookies. If the technique is inverted, it can be used to write too many byes to the kernel as well. The target of this was prctl to create a stack overflow where none existed in the past. Since the read leaks the stack cookie and KASLR slide, it is trivial to bypass both mitigations! Now, we can start a ROP chain. To mitigate this, they suggested randomizing these areas of memory. They do note that the mitigation doesn't work for local users (only remote) since a TLB timing side-channel can be used still. Overall, interesting technique on Linux exploitation. It's cool to see such a powerful primitive discovered that can be used in other locations.
Analysis Summary
# Vulnerability: Use-After-Free on struct anon_vma in Linux MM Subsystem
## CVE Details
- **CVE ID:** CVE-2022-42703
- **CVSS Score:** 7.8 (High) - *Based on typical local privilege escalation metrics*
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Vulnerable prior to the fix on September 5, 2022 (introduced in commit `7a3ef208e662f`).
- **Configurations:** Systems running x86_64 architecture are particularly susceptible to the stack-based exploitation technique described.
## Vulnerability Description
The flaw exists in the Memory Management (MM) subsystem. An incorrect assumption regarding reference counting for Virtual Memory Area (VMA) objects allows a `folio->mapping` to maintain a dangling pointer to a `struct anon_vma` after it has been freed. By technical manipulation of memory states (specifically using `madvise(..., MADV_PAGEOUT)`), an attacker can trigger repeated accesses to this freed object. Because `anon_vma` has its own dedicated kmalloc cache, the author utilized slab-page flushing techniques to return the memory to the page allocator, subsequently reclaiming it via a pipe buffer spray to gain control over the structure's contents.
## Exploitation
- **Status:** PoC developed and documented by Google Project Zero.
- **Complexity:** High (Requires deep knowledge of Linux MM, slab internals, and x86 Interrupt Stack Table behavior).
- **Attack Vector:** Local (Requires the ability to execute code to trigger madvise and ptrace).
## Impact
- **Confidentiality:** High (Ability to leak KASLR slides and stack cookies).
- **Integrity:** High (Arbitrary write primitives allow for ROP chain execution and kernel context hijacking).
- **Availability:** High (Kernel panic or system instability during exploitation).
## Remediation
### Patches
- Fixed in the mainline Linux kernel as of **September 5, 2022**.
- Patch Commit: `7a3ef208e662f` (and subsequent related stability fixes).
### Workarounds
- **Randomization of IST stacks:** Proposed mitigations involve randomizing the location of the Interrupt Stack Table (IST) to prevent static address targeting.
- **Note:** These do not fully stop local attackers who can use TLB timing side-channels to locate the stacks.
## Detection
- **Indicators of Compromise:** High frequency of `uname` syscalls (used in the PoC to trigger `copy_to_user`), unusual `madvise` patterns, and heavy use of `ptrace` on self/child processes.
- **Detection methods:** Monitor for crashes in `folio_lock_anon_vma_read` or unexpected page faults in the kernel memory management subsystem.
## References
- Google Project Zero Blog: hxxps[://]projectzero[.]google[.]com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack[.]html
- Linux Kernel Mailing List / Commit: hxxps[://]git[.]kernel[.]org/pub/scm/linux/kernel/git/torvalds/linux[.]git/commit/?id=7a3ef208e662f
- LWN anon_vma Documentation: hxxps[://]lwn[.]net/Articles/383162/