A flaw in the Linux Kernel found. If unprivileged users can mount FUSE filesystems, then can trigger use after free (UAF) that reads of write() buffers, allowing theft of (partial) /etc/shadow hashes or any other data from filesystem. FUSE allows the userspace filesystem to specify on FUSE_OPEN whether the file should use the normal kernel pagecache for handling read()/write() or just send FUSE_READ/FUSE_WRITE requests directly to the userspace filesystem (using the flag FOPEN_DIRECT_IO in fuse_open_out::open_flags). In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the write buffer may be reused for other purposes, and the userspace filesystem should no longer have access to it.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2065331]
*** Bug 2082384 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1011