Skip to content

Chronomaly #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Chronomaly #1732

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions ...xploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ Two expiry-processing modes
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y: expiry is deferred via task_work on the target task
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n: expiry handled directly in IRQ context

<details>
<summary>POSIX CPU timer run paths</summary>

```c
void run_posix_cpu_timers(void) {
struct task_struct *tsk = current;
Expand All @@ -100,8 +103,13 @@ static inline void __run_posix_cpu_timers(struct task_struct *tsk) {
#endif
```

</details>

In the IRQ-context path, the firing list is processed outside sighand

<details>
<summary>IRQ-context handling path</summary>

```c
static void handle_posix_cpu_timers(struct task_struct *tsk) {
struct k_itimer *timer, *next; unsigned long flags, start;
Expand All @@ -126,6 +134,8 @@ static void handle_posix_cpu_timers(struct task_struct *tsk) {
}
```

</details>

Root cause: TOCTOU between IRQ-time expiry and concurrent deletion under task exit
Preconditions
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled (IRQ path in use)
Expand Down Expand Up @@ -205,6 +215,12 @@ Audit hotspots (for reviewers)
Notes for exploitation research
- The disclosed behavior is a reliable kernel crash primitive; turning it into privilege escalation typically needs an additional controllable overlap (object lifetime or write-what-where influence) beyond the scope of this summary. Treat any PoC as potentially destabilizing and run only in emulators/VMs.

### Chronomaly exploit strategy (priv-esc without fixed text offsets)
- **Tested target & configs:** x86_64 v5.10.157 under QEMU (4 cores, 3 GB RAM). Critical options: `CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n`, `CONFIG_PREEMPT=y`, `CONFIG_SLAB_MERGE_DEFAULT=n`, `DEBUG_LIST=n`, `BUG_ON_DATA_CORRUPTION=n`, `LIST_HARDENED=n`.
- **Race steering with CPU timers:** A racing thread (`race_func()`) burns CPU while CPU timers fire; `free_func()` polls `SIGUSR1` to confirm if the timer fired. Tune `CPU_USAGE_THRESHOLD` so signals arrive only sometimes (intermittent "Parent raced too late/too early" messages). If timers fire every attempt, lower the threshold; if they never fire before thread exit, raise it.
- **Dual-process alignment into `send_sigqueue()`:** Parent/child processes try to hit a second race window inside `send_sigqueue()`. The parent sleeps `PARENT_SETTIME_DELAY_US` microseconds before arming timers; adjust downward when you mostly see "Parent raced too late" and upward when you mostly see "Parent raced too early". Seeing both indicates you are straddling the window; success is expected within ~1 minute once tuned.
- **Cross-cache UAF replacement:** The exploit frees a `struct sigqueue` then grooms allocator state (`sigqueue_crosscache_preallocs()`) so both the dangling `uaf_sigqueue` and the replacement `realloc_sigqueue` land on a pipe buffer data page (cross-cache reallocation). Reliability assumes a quiet kernel with few prior `sigqueue` allocations; if per-CPU/per-node partial slab pages already exist (busy systems), the replacement will miss and the chain fails. The author intentionally left it unoptimized for noisy kernels.

### See also

{{#ref}}
Expand All @@ -215,5 +231,9 @@ ksmbd-streams_xattr-oob-write-cve-2025-37947.md
- [Race Against Time in the Kernel’s Clockwork (StreyPaws)](https://streypaws.github.io/posts/Race-Against-Time-in-the-Kernel-Clockwork/)
- [Android security bulletin – September 2025](https://source.android.com/docs/security/bulletin/2025-09-01)
- [Android common kernel patch commit 157f357d50b5…](https://android.googlesource.com/kernel/common/+/157f357d50b5038e5eaad0b2b438f923ac40afeb%5E%21/#F0)
- [Chronomaly exploit PoC (CVE-2025-38352)](https://github.com/farazsth98/chronomaly)
- [CVE-2025-38352 analysis – Part 1](https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/)
- [CVE-2025-38352 analysis – Part 2](https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/)
- [CVE-2025-38352 analysis – Part 3](https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/)

{{#include ../../banners/hacktricks-training.md}}