Researchers dubbed it a “straightforward Linux kernel locking bug” that they exploited against Debian Buster’s 220.127.116.11-amd64 kernel.
In 2017, MacAfee researchers disclosed a memory corruption bug inside the Linux kernel’s UDP fragmentation offload (UFO) that allowed unauthorized individuals to gain local privilege escalation. The bug affected both IPv4 and IPv6 code paths running kernel version 4.8.0 of Ubuntu xenial and was fixed in Commit 85f1bd9.
Now, Google’s Project Zero team has shared details of a similar yet much simpler bug that can cause complete system compromise. Researchers dubbed it a “straightforward Linux kernel locking bug” that they exploited against Debian Buster’s 18.104.22.168-amd64 kernel.
About the Bug
According to the Project Zero blog post, the bug was located in the ioctl handler tiocspgrp. The pgrp member of the terminal side (real_tty) was modified to exploit it while the old and new process groups’ reference count was adjusted accordingly using put_pid and get_pid.
The lock is taken on tty, which depending on the file descriptor that the researchers passed to ioctl(), can be any end of the pseudoterminal pair. So, they called the TIOCSPGRP ioctl on both sides of the