Description
A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel’s cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.
This marks the starting point of my UAF series for my KERNEX project’s Knowledge Base (KB) entries.
First, before diving into this vulnerability, let’s get to understand the type we’re dealing with
Understanding Use-after-free (UAFs)
I - Pointers
To better understand UAFs, it’s very important first get the notion of pointers, especially in memory because that’s where UAFs live.
In low-level programming, there’s a notion called pointer . What is it?
A pointer (as the name clearly gives anyone a clue) is a variable that stores the memory address of another variable, rather than holding a direct value like an integer or character. Think of a variable as a house and its value as the people living inside; a pointer is the address written on a piece of paper that tells you where that house is located in the computer’s memory.
Here’s a simpler analogy.
A basketball coach is placing each playing on a particular spot or position. Draws 10 squares where each player will be placed at. Instead of actually calling them to stand before each square individually, he instead takes ten papers and asign each player to his/her squad by point the initials of the player and the chosen box. Then he hands each paper to the appropriate player. So even without physically approaching the squares, each player already know where he/she belong
Example and Operators
Here are two distinct examples to help understand it to better and as well differentiate between operators.
1 Address-of Operator ( & ): this operator retrieves the memory address of a variable
int* ptr = &myVar;
now ptr stores the address of myVar
**2 Dereference Operator ( ** ): this operator allows you to access the value stored at the address a pointed holds.
int value = *ptr;
the value now equals the content of myVar
In programming, a pointer doesn’t just say “this is your square.” It also allows the “coach” (the function) to reach into that square and change what’s inside. For example, if the coach has a pointer to Square 5, he can send a message: “Whoever is in Square 5, put on a red jersey.” The coach doesn’t need to know the player’s name; he just needs the address of the square they are standing in.
This is exactly how a pointer works.