Hide Forgot
A failing usercopy of the slot uid will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios. Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't solve the underlying issue, as the file descriptor might have been replaced in the meantime, e.g. via userland calling close() on it (leading to a NULL pointer dereference in the error handling code as 'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a completely different file object to that very file descriptor, leading to the same situation: a dangling file descriptor pointing to a freed object -- just in this case to a file object of user's choosing. Generally speaking, after the call to fd_install() the file descriptor is live and userland is free to do whatever with it. We cannot rely on it to still refer to our enclave object afterwards. In fact, by abusing userfaultfd() userland can hit the condition without any racing and abuse the error handling in the nitro code as it pleases.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1955580]
External References: https://lore.kernel.org/lkml/20210429165941.27020-2-andraprs@amazon.com/
Statement: This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user (with access to the ne group if this user manages Enclaves VMs).
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2169 https://access.redhat.com/errata/RHSA-2021:2169
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2168 https://access.redhat.com/errata/RHSA-2021:2168
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3543