Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87bjebjwkq.fsf@gentoo.org>
Date: Tue, 19 May 2026 15:36:05 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Subject: PinTheft Linux LPE

v12-security have shared a new Linux LPE today, PinTheft [0].

Quoting their abstract:
> PinTheft is a Linux local privilege escalation exploit for an RDS
> zerocopy double-free that can be turned into a page-cache overwrite
> through io_uring fixed buffers.
>
> PinTheft was discovered with V12 by Aaron Esau of the V12 security
> team. We duped on this bug with some other teams and a patch is
> available so we are releasing our PoC.
>
> The bug lived in the RDS zerocopy send
> path. rds_message_zcopy_from_user() pins user pages one at a time. If
> a later page faults, the error path drops the pages it already pinned,
> and later RDS message cleanup drops them again because the scatterlist
> entries and entry count remain live after the zcopy notifier is
> cleared. Each failed zerocopy send can steal one reference from the first page.
>
> The PoC uses io_uring to make that refcount bug useful. It registers
> an anonymous page as a fixed buffer, giving the page a FOLL_PIN bias
> of 1024 references. It then steals those references with failing RDS
> zerocopy sends, frees the page, reclaims it as page cache for a
> SUID-root binary, and uses the stale io_uring fixed-buffer page
> pointer to overwrite that page cache with a small ELF
> payload. Executing the SUID binary drops into a root shell.
>
> Sadly, the RDS kernel module this requires is only default on Arch
> Linux among the common distributions we tested.

The referenced kernel module is CONFIG_RDS + CONFIG_RDS_TCP. I attached
their PoC too.

[0] https://github.com/v12-security/pocs/tree/09e835b587bf71249775654061ae4c79e92cf430/pintheft

thanks,
sam


View attachment "poc.c" of type "text/plain" (28215 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (419 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.