162 - Edge Vulns, a SHA-3 Overflow, and an io

Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as “self-corruptions”. Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists. There are a number of issues I won’t summarize them all here but they all fall into that sort of bucket. They are interesting, but exploitability is limited to cases where you already have control of the browser (so no drive-by style attacks or malvertising). Interesting set of bugs and a pretty high bounty though.

An integer overflow in the official SHA-3 implementation as used by PHP, Python, Ruby and I’m sure other places. When updating a block that already has some data in it, it will try to calculate if the new partial block bytes will go out of bounds, it makes the classic mistake of adding the current index and the length of new data, then just checking if it is lower than a bounding value. If the addition overflows it will be seen as within bounds and it will add the bytes leading to a buffer overflow.

This does only happen when updating and not if all the data is passed in at once so that does slightly limit the attack surface, and since its based on data length it does require sending like 4gb of data which can be a significant ask, but as something like SHA-3 may be used on files, it is definitely possible.

At its core, a simple, yet odd Linux kernel issue, __io_req_init_async assumes that the new request (req) being submitted was submitted by its own worker, so it sets the req->work.identity to current->io_uring.

The problem is that this is not always the case, multiple tasks can submit requests to the same io_uring at the same time that can end up in the same work queue but associated with different request tasks. This then becomes a vulnerability in io_put_identity which checks if the request’s work identity matches the tasks identity. If they don’t match it uses that as a cue to mean the identity should have its ref count decremented and possibly free’d. Leading to an invalid free because of the wrong identity being used.

Definitely, an interesting primitive to have, the post continues on into exploitation locally, including some novel strategies and some challenges with the kCTF environment.