umtx bug spams infinitely and doesn't work on any fw

[zecoxao]

i see an infinite spam of threads on 7.61 and nothing happens, help!

[hammer-83]

So couple of things:

1. It sometimes takes 1000s of iterations before stage1 gets the shm overlap.
2. Afterwards, it may or may not be able to get kernel memory.
3. If it does not - it repeats the process from the start.
4. If it does, it will do some reads from memory, print the address of kernel thread and crash.

For this reason, I suggest:

• Recompile jar loader with remote logging capabilities so you can monitor/save the output as it spews out tons of info on screen.
• Be patient, it will eventually get out of loop. Either before it reaches kernel memory or after. Either way - crash at the end is expected for now.

[hammer-83]

For reference, this is a partial output I get after the race is triggered:

[INFO] [JarLoader] [main] Number of successful destructions: 2
...
[INFO] [JarLoader] [main] Spraying and praying
...
[INFO] [JarLoader] [main] Checking for shared memory object corruption
[INFO] [JarLoader] [main] Original descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Lookup descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Size of primary shared memory object: 0x2b000
[INFO] [JarLoader] [main] Calculated descriptor #43
[INFO] [JarLoader] [main] Got mismatch of descriptors!
[INFO] [JarLoader] [main] Checking succeeded, winner descriptor of shared memory object: 43
[INFO] [JarLoader] [main] Closing descriptor #42 of reclaim shared memory object #0
[INFO] [JarLoader] [main] Truncating shared memory object with descriptor #43
...
[INFO] [JarLoader] Got memory corruption after 223 iterations
[INFO] [JarLoader] Doing post-exploitation
[INFO] [Thread-135] [destroyer#0] Finishing loop
[INFO] [Thread-136] [destroyer#1] Finishing loop
[INFO] [Thread-137] [lookup] Finishing loop
...
[INFO] [JarLoader] Mapping memory of shared memory object with lookup descriptor #41
[INFO] [JarLoader] Mapped address of potential kernel stack: 0x21478c000. Size: 0x4000
[INFO] [JarLoader] Protecting mapped memory of potential kernel stack
[INFO] [JarLoader] Starting reclaim threads
[INFO] [JarLoader] Reclaim threads started
[INFO] [JarLoader] Checking if reclaimed memory belongs to controlled thread
[INFO] [JarLoader] Found marker pattern in kernel stack at 0x6bc
[INFO] [JarLoader] Classifying leaked kernel addresses
[INFO] [JarLoader] Determined reclaim job index: 2
[INFO] [JarLoader] Found reclaim thread 'reclaim#2' using 1 attempts
[INFO] [JarLoader] Found potential kernel thread address: 0xffffa2c373114ce0
[INFO] [JarLoader] [main] Resetting ready flag
[INFO] [JarLoader] Joining reclaim threads
[INFO] [Thread-141] [reclaim#3] Not target thread
...
[INFO] [Thread-140] [reclaim#2] I am lucky
...
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29
[INFO] [JarLoader] [main] Attempting to unlock pipe for kernel primitives
[INFO] [JarLoader] Writing to write pipe #30
[INFO] [JarLoader] Writing to write pipe #30 finished with result 4096
[INFO] [JarLoader] [main] Pipe for kernel primitives unlocked
[INFO] [JarLoader] [main] Waiting for command processor to start up
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29 finished with result 4096
[INFO] [Thread-140] [reclaim#2] Starting command processor loop
[INFO] [JarLoader] [main] Done waiting for command processor to start up
[INFO] [JarLoader] Leaked kernel thread name: reclaim#2
[INFO] [JarLoader] Kernel thread address is correct