Bug 2064855 (CVE-2022-1011)

Summary: CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, mszeredi, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, steved, tcullum, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.16-rc8 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 17:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2068267, 2068268, 2064862, 2064863, 2064864, 2064865, 2065331    
Bug Blocks: 2060953, 2065286, 2082382    

Description Alex 2022-03-16 19:00:33 UTC 
A flaw in the Linux Kernel found.
If unprivileged users can mount FUSE filesystems, then can trigger use after free (UAF) that reads of write() buffers, allowing theft of (partial) /etc/shadow hashes or any other data from filesystem.

FUSE allows the userspace filesystem to specify on FUSE_OPEN whether the
file should use the normal kernel pagecache for handling read()/write() or
just send FUSE_READ/FUSE_WRITE requests directly to the userspace filesystem
(using the flag FOPEN_DIRECT_IO in fuse_open_out::open_flags).

In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
fuse_direct_write_iter(), which normally calls fuse_direct_io(),
which then imports the write buffer with fuse_get_user_pages(),
which uses iov_iter_get_pages() to grab references to userspace pages
instead of actually copying memory.

On the filesystem device side, these pages can then either be read to
userspace (via fuse_dev_read()), or splice()d over into a pipe using
fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.

This is wrong because after fuse_dev_do_read() unlocks the FUSE
request, the userspace filesystem can mark the request as completed,
causing write() to return. At that point, the write buffer may be
reused for other purposes, and the userspace filesystem should no
longer have access to it.
Comment 7 Alex 2022-03-17 17:31:04 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2065331]
Comment 16 Alex 2022-05-08 11:34:56 UTC 
*** Bug 2082384 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2022-05-10 14:41:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 19 errata-xmlrpc 2022-05-10 14:47:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 20 Product Security DevOps Team 2022-05-11 17:46:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1011