Re: [PATCH] fs/seq_file.c: Fix a UAF vulnerability in seq_release()

From: Matthew Wilcox
Date: Wed Jul 10 2019 - 08:26:21 EST


On Wed, Jul 10, 2019 at 06:26:29PM +0800, bsauce wrote:
> In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to null right away. It can be reused by seq_read() or srm_env_proc_write().

Well, no. The ->release method is called when there are no more file
descriptors referring to this file. So there's no way to call seq_read()
or srm_env_proc_write() after seq_release() is called.

> For example, /arch/alpha/kernel/srm_env.c provide several interfaces to userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'.
> Thus in userspace, one can exploit this UAF vulnerability to escape privilege.

Please provide a PoC.