* [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()
@ 2019-07-10 10:26 bsauce
2019-07-10 10:58 ` Eric Dumazet
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: bsauce @ 2019-07-10 10:26 UTC (permalink / raw)
To: alexander.h.duyck
Cc: vbabka, mgorman, l.stach, vdavydov.dev, akpm, alex, adobriyan,
mike.kravetz, rientjes, rppt, mhocko, ksspiers, linux-mm,
linux-kernel, bsauce
In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
And 'm->buf' should be cleared right after being freed.
Signed-off-by: bsauce <bsauce00@gmail.com>
---
fs/seq_file.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/seq_file.c b/fs/seq_file.c
index abe27ec..de5e266 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
{
struct seq_file *m = file->private_data;
kvfree(m->buf);
+ m->buf = NULL;
kmem_cache_free(seq_file_cache, m);
return 0;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()
2019-07-10 10:26 [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release() bsauce
@ 2019-07-10 10:58 ` Eric Dumazet
2019-07-10 12:25 ` Matthew Wilcox
2019-07-10 15:01 ` Alexander Duyck
2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-07-10 10:58 UTC (permalink / raw)
To: bsauce, alexander.h.duyck
Cc: vbabka, mgorman, l.stach, vdavydov.dev, akpm, alex, adobriyan,
mike.kravetz, rientjes, rppt, mhocko, ksspiers, linux-mm,
linux-kernel
On 7/10/19 12:26 PM, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
> Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
> And 'm->buf' should be cleared right after being freed.
>
> Signed-off-by: bsauce <bsauce00@gmail.com>
> ---
> fs/seq_file.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index abe27ec..de5e266 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
> {
> struct seq_file *m = file->private_data;
> kvfree(m->buf);
> + m->buf = NULL;
> kmem_cache_free(seq_file_cache, m);
> return 0;
> }
>
This makes no sense, since m is freed right away anyway.
So whatever is trying to 'reuse' m is in big trouble.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()
2019-07-10 10:26 [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release() bsauce
2019-07-10 10:58 ` Eric Dumazet
@ 2019-07-10 12:25 ` Matthew Wilcox
2019-07-10 15:01 ` Alexander Duyck
2 siblings, 0 replies; 4+ messages in thread
From: Matthew Wilcox @ 2019-07-10 12:25 UTC (permalink / raw)
To: bsauce
Cc: alexander.h.duyck, vbabka, mgorman, l.stach, vdavydov.dev, akpm,
alex, adobriyan, mike.kravetz, rientjes, rppt, mhocko, ksspiers,
linux-mm, linux-kernel
On Wed, Jul 10, 2019 at 06:26:29PM +0800, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
Well, no. The ->release method is called when there are no more file
descriptors referring to this file. So there's no way to call seq_read()
or srm_env_proc_write() after seq_release() is called.
> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
Please provide a PoC.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()
2019-07-10 10:26 [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release() bsauce
2019-07-10 10:58 ` Eric Dumazet
2019-07-10 12:25 ` Matthew Wilcox
@ 2019-07-10 15:01 ` Alexander Duyck
2 siblings, 0 replies; 4+ messages in thread
From: Alexander Duyck @ 2019-07-10 15:01 UTC (permalink / raw)
To: bsauce
Cc: Duyck, Alexander H, Vlastimil Babka, Mel Gorman, h, vdavydov.dev,
Andrew Morton, alex, adobriyan, mike.kravetz, David Rientjes,
rppt, Michal Hocko, ksspiers, linux-mm, LKML
On Wed, Jul 10, 2019 at 3:26 AM bsauce <bsauce00@gmail.com> wrote:
>
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
> Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
> And 'm->buf' should be cleared right after being freed.
>
> Signed-off-by: bsauce <bsauce00@gmail.com>
So I am pretty sure this "Signed-off-by" line is incorrect. Take a
look in Documentation/process/submitting-patches.rst for more
information. It specifically it calls out that you need to use your
real name, no pseudonyms.
> ---
> fs/seq_file.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index abe27ec..de5e266 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
> {
> struct seq_file *m = file->private_data;
> kvfree(m->buf);
> + m->buf = NULL;
> kmem_cache_free(seq_file_cache, m);
> return 0;
> }
As has already been pointed out we are calling kmem_cache_free on m in
the very next line. As such setting m->buf to NULL would have no
effect as m will be freed and could be reused/overwritten at that
point.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-10 15:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-10 10:26 [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release() bsauce
2019-07-10 10:58 ` Eric Dumazet
2019-07-10 12:25 ` Matthew Wilcox
2019-07-10 15:01 ` Alexander Duyck
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).