[PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

[PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

[bsauce]

In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
And 'm->buf' should be cleared right after being freed.

Signed-off-by: bsauce <bsauce00@gmail.com>
---
 fs/seq_file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index abe27ec..de5e266 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
 {
 	struct seq_file *m = file->private_data;
 	kvfree(m->buf);
+	m->buf = NULL;
 	kmem_cache_free(seq_file_cache, m);
 	return 0;
 }
-- 
2.7.4

Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

[Eric Dumazet]

On 7/10/19 12:26 PM, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
> Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
> And 'm->buf' should be cleared right after being freed.
> 
> Signed-off-by: bsauce <bsauce00@gmail.com>
> ---
>  fs/seq_file.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index abe27ec..de5e266 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
>  {
>  	struct seq_file *m = file->private_data;
>  	kvfree(m->buf);
> +	m->buf = NULL;
>  	kmem_cache_free(seq_file_cache, m);
>  	return 0;
>  }
> 

This makes no sense, since m is freed right away anyway.

So whatever is trying to 'reuse' m is in big trouble.

Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

[Matthew Wilcox]

On Wed, Jul 10, 2019 at 06:26:29PM +0800, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().

Well, no.  The ->release method is called when there are no more file
descriptors referring to this file.  So there's no way to call seq_read()
or srm_env_proc_write() after seq_release() is called.

> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.

Please provide a PoC.

Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

[Alexander Duyck]

On Wed, Jul 10, 2019 at 3:26 AM bsauce <bsauce00@gmail.com> wrote:
>
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
> Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
> And 'm->buf' should be cleared right after being freed.
>
> Signed-off-by: bsauce <bsauce00@gmail.com>

So I am pretty sure this "Signed-off-by" line is incorrect. Take a
look in Documentation/process/submitting-patches.rst for more
information. It specifically it calls out that you need to use your
real name, no pseudonyms.

> ---
>  fs/seq_file.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index abe27ec..de5e266 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
>  {
>         struct seq_file *m = file->private_data;
>         kvfree(m->buf);
> +       m->buf = NULL;
>         kmem_cache_free(seq_file_cache, m);
>         return 0;
>  }

As has already been pointed out we are calling kmem_cache_free on m in
the very next line. As such setting m->buf to NULL would have no
effect as m will be freed and could be reused/overwritten at that
point.