* Reporting a use-after-free read bug in userfaultfd_release()
@ 2020-07-17 11:45 Peilin Ye
0 siblings, 0 replies; only message in thread
From: Peilin Ye @ 2020-07-17 11:45 UTC (permalink / raw)
To: Daniel Colascione
Cc: timmurray, selinux, linux-security-module, linux-fsdevel,
linux-kernel, kvm, viro, paul, nnk, sds, lokeshgidra, jmorris
Hi all,
Syzbot reported the following use-after-free bug in
userfaultfd_release():
https://syzkaller.appspot.com/bug?id=4b9e5aea757b678d9939c364e50212354a3480a6
It seems to be caused by this patch. I took a look at the stack trace.
In the patch:
fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
if (fd < 0) {
fput(file);
goto out;
}
If get_unused_fd_flags() fails, `ctx` is freed. Later however, before
returning back to userland, userfaultfd_release() is called and tries to
use `ctx` again, causing a use-after-free bug.
The syzbot reproducer does a setrlimit() then a userfaultfd(). The
former sets a hard limit on number of open files to zero, which causes
get_unused_fd_flags() to fail.
Thank you,
Peilin Ye
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-07-17 11:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 11:45 Reporting a use-after-free read bug in userfaultfd_release() Peilin Ye
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).