Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

From: Matthew Wilcox
Date: Wed Jul 10 2019 - 08:26:21 EST

Next message: Mauro Carvalho Chehab: "Re: [PATCH v2] Documentation: filesystems: Convert ufs.txt to reStructuredText format"
Previous message: Thomas Gleixner: "Re: [GIT PULL] x86/topology changes for v5.3"
In reply to: Eric Dumazet: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Next in thread: Alexander Duyck: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 10, 2019 at 06:26:29PM +0800, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().

Well, no. The ->release method is called when there are no more file
descriptors referring to this file. So there's no way to call seq_read()
or srm_env_proc_write() after seq_release() is called.

> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.

Please provide a PoC.

Next message: Mauro Carvalho Chehab: "Re: [PATCH v2] Documentation: filesystems: Convert ufs.txt to reStructuredText format"
Previous message: Thomas Gleixner: "Re: [GIT PULL] x86/topology changes for v5.3"
In reply to: Eric Dumazet: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Next in thread: Alexander Duyck: "Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]