About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

refcount increment on mid-destruction file- 705

Jann Horn - Project Zero (P0) Posted 4 Years Ago
  • ep_loop_check_proc is trying to increment a reference count of a file in the Linux kernel via a call to get_file(). However, get_file() does not do the proper sanity checks on the file prior to access: only get_file_rcu() does.
  • In the epoll Linux subsystem, this becomes a problem because ep_loop_check_proc only has a weak reference to the file. Since this weak reference is NOT enough from it being deleted, it can be deleted while being used in ep_loop_check_proc. This created a use after free on the object. Even though this leads to a use after free, the author of the post labels this as a object state confusion bug.
  • The vulnerability was introduced while trying to fix another vulnerability that dealt with reference counting. This patch was attempting to validate that when adding a new fd to epoll, the deletion does not occur concurrently to this. The attempted fix was to check the reference count of the file via get_file, which is where the bug was introduced at.
  • Fixing concurrency bugs is incredibly hard! There are so many ways for an object to be affected and it is hard to consider all of the cases for this. Good bug find!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed