Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2e40f38b-cebb-4fea-a025-5855cb9c98cc@vdwaa.nl>
Date: Tue, 19 May 2026 21:41:07 +0200
From: Jelle van der Waa <jelle@...aa.nl>
To: oss-security@...ts.openwall.com
Subject: Re: PinTheft Linux LPE



On 19/05/2026 18:24, Sam James wrote:
> Sam James <sam@...too.org> writes:
> 
>> v12-security have shared a new Linux LPE today, PinTheft [0].
>>
>> Quoting their abstract:
>>> PinTheft is a Linux local privilege escalation exploit for an RDS
>>> zerocopy double-free that can be turned into a page-cache overwrite
>>> through io_uring fixed buffers.
>>>
>>> PinTheft was discovered with V12 by Aaron Esau of the V12 security
>>> team. We duped on this bug with some other teams and a patch is
>>> available so we are releasing our PoC.
>>>
>>> The bug lived in the RDS zerocopy send
>>> path. rds_message_zcopy_from_user() pins user pages one at a time. If
>>> a later page faults, the error path drops the pages it already pinned,
>>> and later RDS message cleanup drops them again because the scatterlist
>>> entries and entry count remain live after the zcopy notifier is
>>> cleared. Each failed zerocopy send can steal one reference from the first page.
>>>
>>> The PoC uses io_uring to make that refcount bug useful. It registers
>>> an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias
>>> of 1024 references. It then steals those references with failing RDS
>>> zerocopy sends, frees the page, reclaims it as page cache for a
>>> SUID-root binary, and uses the stale io_uring fixed-buffer page
>>> pointer to overwrite that page cache with a small ELF
>>> payload. Executing the SUID binary drops into a root shell.
>>>
>>> Sadly, the RDS kernel module this requires is only default on Arch
>>> Linux among the common distributions we tested.
> 
> While of course I can't know what distros they tested, this does
> seem to be on in at least Fedora too? https://oracle.github.io/kconfigs/
> seems to agree with that.
Fedora seems "unaffected", CONFIG_RDS=m is set in Fedora unlike RHEL and 
the kernel module is packaged in kernel-modules-extra which my Fedora 
Cloud Edition does not have pre-installed. [1] [2]

After installing kernel-modules-extra, the modprobe config file still 
prevents it from being loaded:

[root@...ora-44-127-0-0-2-2201 ~]# rpm -ql kernel-modules-extra | grep rds
/etc/modprobe.d/rds-blacklist.conf
/lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds.ko.xz
/lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_rdma.ko.xz
/lib/modules/7.0.8-200.fc44.x86_64/kernel/net/rds/rds_tcp.ko.xz

[root@...ora-44-127-0-0-2-2201 ~]# modprobe rds
modprobe: FATAL: Module rds not found in directory 
/lib/modules/7.0.4-200.fc44.x86_64

[1] 
https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel-x86_64-fedora.config#_5970
[2] 
https://gitlab.com/cki-project/kernel-ark/-/blob/os-build/redhat/configs/rhel/generic/CONFIG_RDS

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.