CVE-2022-1729 - Gaining Root via perf_event_open Race Condition in the Linux Kernel

In April 2022, researchers found a dangerous race condition in the Linux kernel’s perf_event_open() system call, assigned CVE-2022-1729. This vulnerability makes it possible for any unprivileged user (just a regular account, no sudo needed) to escalate privileges to root. Even worse, it lets attackers leak private kernel information, bypass protections like KASLR, and maybe even run arbitrary code in the kernel (arbitrary execution).

This post explains the vulnerability, shows a (simplified) code snippet for exploitation, and offers simple advice on mitigation.

What is perf_event_open?

perf_event_open() is a Linux system call. Its main job is to open a performance monitoring event. Developers and sysadmins use it for things like checking CPU cycles or cache misses.

But being a kernel interface, it’s tricky to get right. If a bug exists, the attack surface is huge — anyone can call this system call under normal system settings.

The Race Condition in the Kernel

The vulnerable code appeared in the Linux kernel’s handling of perf_event_open(). Here’s a simplified idea of the logic:

// Kernel pseudo-code (simplified)
int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags) {
    struct perf_event *event = alloc_event(...);
    if (!event)
        return -ENOMEM;
    // ... some more setup
    install_event_to_context(event, ctx);
    // bug: event state not properly checked here
    return event_fd(event);
}

The problem: Between allocating the new event and actually installing it into the kernel's internal event context, there’s a critical gap. If an attacker rapidly calls (and closes) perf_event_open() in carefully-timed threads, they can cause state changes that the kernel did not anticipate. This “race” can cause kernel objects to be used after they are freed, or with uninitialized data, or even with attacker-controlled pointers.

The main risk: Attackers may leverage this race window to overwrite or leak internal kernel data structures. This opens up a path to reading kernel memory (leaks), finding kernel addresses (defeating KASLR), and even writing or executing code with root privileges.

Attacker can read stale data, revealing the kernel's private memory addresses!

2. Arbitrary Execution / Privilege Escalation
   - If attacker can induce a use-after-free or double-free, they might overwrite sensitive function pointers.

Bypassing Protections

- Once addresses are leaked, kernel exploits get much easier, even if protections like KASLR, SMEP, or Supervisor Mode Access Prevention are enabled.

Example Exploit Code Snippet

The following is a greatly simplified pseudocode example. Real-world exploit code is far more complex (see links for real PoC). This demonstrates the basic idea: two threads racing perf_event_open() and close(), hoping to trigger a bug.

#include <linux/perf_event.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <pthread.h>

volatile int done = ;

void *closer_thread(void *arg) {
    int *fd = (int *)arg;
    while (!done) {
        if (*fd > )
            close(*fd);
    }
    return NULL;
}

int main() {
    struct perf_event_attr pe;
    int fd;
    pthread_t tid;

    memset(&pe, , sizeof(pe));
    pe.type = PERF_TYPE_SOFTWARE;
    pe.config = PERF_COUNT_SW_CPU_CLOCK;

    // Open the perf event
    fd = syscall(__NR_perf_event_open, &pe, , -1, -1, );

    // Start a thread to close the fd repeatedly
    pthread_create(&tid, NULL, closer_thread, &fd);

    for (int i = ; i < 100000; i++) {
        fd = syscall(__NR_perf_event_open, &pe, , -1, -1, );
        // Try to read or write data here...
    }

    done = 1;
    pthread_join(tid, NULL);
    return ;
}

This is NOT a working privilege escalation exploit but demonstrates the racing principle that's part of real ones.

For actual code, see

- PoC: github.com/AmIAHuman/cve-2022-1729

Protecting Yourself

This bug was fixed in Linux commit e144938ecfda:

`bash

echo 2 | sudo tee /proc/sys/kernel/perf_event_paranoid

`

See more about perf_event_paranoid here.

Further Reading & References

- The original upstream patch: git.kernel.org patch
- MITRE CVE entry: CVE-2022-1729
- RedHat Security Advisory
- Real PoC/Exploit: github.com/AmIAHuman/cve-2022-1729
- Linux manual on perf event: perf_event_open(2) man page
- Kernel explainer “Linux Race Conditions 101”

Conclusion

CVE-2022-1729 is a scary reminder that even tools made for debugging (like perf_event_open) can become weapons for attackers. If you’re running an older Linux kernel or allow unprivileged access to perf counters, now’s the time to update!

Stay safe — and keep your systems patched.

*Written exclusively for your security learning by ChatGPT.*

Timeline

Published on: 09/01/2022 21:15:00 UTC
Last modified on: 09/07/2022 13:35:00 UTC