Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Linux: FUSE allows UAF reads of write() buffers, allowing theft of other pages
Jann Horn - Google Project Zero (P0) Posted 3 Years Ago- Filesystem in USErspace (FUSE) ) is a userspace library for file system utilities, such as
mount. In FUSE, there are two modes of IO: kernel page caching or direct requests on read/write to the userspace file system. - In the second mode of operation (
FOPEN_DIRECT_IO), this calls a series of functions that eventually grab a reference to the userspace pages. - On the file system device side, they can be read or spliced as pipe buffers later. This is a problem because the read done via
fuse_dev_read()unlocks the FUSE request while the userspace file system marks the request as completed. - This means that the buffer being used for the data (remember, this is a reference) can be used for other things. When this gets used for other things, we can still read data from it, causing a use-after-free-read-like scenario.
- To exploit this, they got a leak from
/etc/shadowby manipulating data within glibc. This required a strange error message path to hit but still works. - Overall, this required a deep understanding of the code to find this bug. Dangling references are bad; this one did not lead to memory corruption though!
