Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1,021: | Line 1,021: | ||
The bug was patched in PS4 FW 12.00 by adding some mutexes in bnet_netevent functions | The bug was patched in PS4 FW 12.00 by adding some mutexes in bnet_netevent functions | ||
---- | |||
=== FW <= ?11.52? - umtx UaF (yielding arbitrary kernel R/W) (CVE-2024-43102) === | |||
==== Credits ==== | |||
* Rebecca Cran for discovering the bug in umtx (2023-05-07) | |||
* Synacktiv for finding and disclosing publicly the vulnerability (2024-09-04) | |||
* Olivier Certner for fixing the bug (2024-09-04), kib for reviewing the bug fix (2024-09-04), Ed Maste for approving the bug fix commit (2024-09-04) | |||
==== Analysis ==== | |||
* [https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271300 Crash report by Rebecca Cran (2023-05-07)] | |||
* [https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc FreeBSD Security Advisory for CVE-2024-43102 (2024-09-04)] | |||
* [https://cgit.freebsd.org/src/commit/?id=62f40433ab47ad4a9694a22a0313d57661502ca1 Fix commit (2024-09-04)] | |||
* [https://securityonline.info/freebsd-issues-urgent-security-advisory-for-cve-2024-43102-cvss-10/ Vulnerability press release (2024-09-09)] | |||
==== Bug Description ==== | |||
The _umtx_op(2) system call provides support for the implementation of synchronization primitives between threads, and is used by the 1:1 Threading Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 (POSIX.1-2001) pthread locks, like mutexes, condition variables and so on. In particular, its UMTX_OP_SHM operation provides support for anonymous shared memory associated to a particular physical address, which is used to implement process-shared mutexes (PTHREAD_PROCESS_SHARED). | |||
Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. | |||
umtx_shm_unref_reg_locked() would unconditionally drop the "registry" reference, tied to USHMF_LINKED. | |||
This is not a problem for caller umtx_shm_object_terminated(), which operates under the 'umtx_shm_lock' lock end-to-end, but it is for indirect caller umtx_shm(), which drops the lock between umtx_shm_find_reg() and the call to umtx_shm_unref_reg(true) that deregisters the umtx shared region (from 'umtx_shm_registry'; umtx_shm_find_reg() only finds registered shared mutexes). | |||
Thus, two concurrent user-space callers of _umtx_op() with UMTX_OP_SHM and flags UMTX_SHM_DESTROY, both progressing past umtx_shm_find_reg() but before umtx_shm_unref_reg(true), would then decrease twice the reference count for the single reference standing for the shared mutex's registration. | |||
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. | |||
==== Exploit Implementation ==== | |||
* No implementation for now. | |||
==== Patched ==== | |||
'''Maybe'''. PS4 is maybe not affected even though PS5 is. A PoC and/or code diff is required to confirm that PS4 is not vulnerable. | |||
---- | ---- | ||