Every Linux Distribution Shipped Since 2017 Vulnerable to New Copy.Fail Exploit

A new exploit called copy.fail has emerged that can root just about any Linux distribution shipped since 2017 using just an unprivileged user account.

The exploit is particularly scary because it doesn't rely on race conditions or tight timing windows in order to work; it's a flaw in the actual logic of the code.

According to a write-up by Xint.io, the researchers who found it, the same simple Python script works on every distribution they tested including Ubuntu, Amazon Linux, RHEL, and SUSE without modification.

The script uses only standard Python modules and no dependencies.

It's also very stealthy, making no changes to the disk, so file integrity tools comparing checksums will completely miss it. Only the "in-memory page cache is corrupted."

The researchers say it's also a container escape exploit since the page cache is shared across all processes on a system.

The core of the vulnerability lies with AF_ALG, a socket-based interface that allows userspace programs to access cryptographic features of the kernel.

A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. The pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file. . . .

This in-place design is the root cause of the vulnerability. It places page cache pages in a writable scatterlist, separated from the legitimate write region by nothing more than an offset boundary. The design assumes every AEAD algorithm will confine its writes to the intended destination, but nothing in the API enforces this, and nothing documents it as a requirement.

The exploit was fixed by reverting an optimization that was added in 2017: algif.aead being done in-place instead of copying it to a new buffer. The commit that fixed the issue reads:

There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

One user on Hacker News claiming to work on the Linux kernel’s neurologist code expressed concern over the AF_ALG existing in the first place:

As someone who works on the Linux kernel's cryptography code, the regularly occurring AF_ALG exploits are really frustrating. AF_ALG, which was added to the kernel many years ago without sufficient review, should not exist. It's very complex, and it exposes a massive attack surface to unprivileged userspace programs. And it's almost completely unnecessary, as userspace already has its own cryptography code to use. The kernel's cryptography code is just for in-kernel users (for example, dm-crypt).

Xint.io recommends patching your kernel in order to avoid this bug. There are already patches out for Ubuntu and other distros, so make sure you update as soon as possible.