[PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

From: bsauce
Date: Wed Jul 10 2019 - 06:26:45 EST

Next message: Jose Abreu: "RE: [PATCH 08/12] net: stmmac: Fix misuses of GENMASK macro"
Previous message: Russell King - ARM Linux admin: "Re: Question about ARM FASTFPE"
Next in thread: Eric Dumazet: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().
For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
Thus in userspace, one can exploit this UAF vulnerability to escape privilege.
Even if 'm->buf' is cleared by kmem_cache_free(), one can still create several threads to exploit this vulnerability.
And 'm->buf' should be cleared right after being freed.

Signed-off-by: bsauce <bsauce00@xxxxxxxxx>
---
fs/seq_file.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index abe27ec..de5e266 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -358,6 +358,7 @@ int seq_release(struct inode *inode, struct file *file)
{
struct seq_file *m = file->private_data;
kvfree(m->buf);
+ m->buf = NULL;
kmem_cache_free(seq_file_cache, m);
return 0;
}
--
2.7.4

Next message: Jose Abreu: "RE: [PATCH 08/12] net: stmmac: Fix misuses of GENMASK macro"
Previous message: Russell King - ARM Linux admin: "Re: Question about ARM FASTFPE"
Next in thread: Eric Dumazet: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]