Bug 2064855 (CVE-2022-1011) - CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes
Summary: CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing thef...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1011
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2082384 (view as bug list)
Depends On: 2068267 2068268 2064862 2064863 2064864 2064865 2065331
Blocks: 2060953 2065286 2082382
TreeView+ depends on / blocked
 
Reported: 2022-03-16 19:00 UTC by Alex
Modified: 2022-10-02 21:53 UTC (History)
50 users (show)

Fixed In Version: Linux kernel 5.16-rc8
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
Clone Of:
Environment:
Last Closed: 2022-05-11 17:46:16 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:27:24 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:47:10 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:11:36 UTC
Red Hat Product Errata RHBA-2022:4969 0 None None None 2022-06-08 18:40:43 UTC
Red Hat Product Errata RHBA-2022:5088 0 None None None 2022-06-16 11:24:06 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:41:30 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:47:39 UTC

Description Alex 2022-03-16 19:00:33 UTC
A flaw in the Linux Kernel found.
If unprivileged users can mount FUSE filesystems, then can trigger use after free (UAF) that reads of write() buffers, allowing theft of (partial) /etc/shadow hashes or any other data from filesystem.

FUSE allows the userspace filesystem to specify on FUSE_OPEN whether the
file should use the normal kernel pagecache for handling read()/write() or
just send FUSE_READ/FUSE_WRITE requests directly to the userspace filesystem
(using the flag FOPEN_DIRECT_IO in fuse_open_out::open_flags).

In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
fuse_direct_write_iter(), which normally calls fuse_direct_io(),
which then imports the write buffer with fuse_get_user_pages(),
which uses iov_iter_get_pages() to grab references to userspace pages
instead of actually copying memory.

On the filesystem device side, these pages can then either be read to
userspace (via fuse_dev_read()), or splice()d over into a pipe using
fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.

This is wrong because after fuse_dev_do_read() unlocks the FUSE
request, the userspace filesystem can mark the request as completed,
causing write() to return. At that point, the write buffer may be
reused for other purposes, and the userspace filesystem should no
longer have access to it.

Comment 7 Alex 2022-03-17 17:31:04 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2065331]

Comment 16 Alex 2022-05-08 11:34:56 UTC
*** Bug 2082384 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2022-05-10 14:41:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975

Comment 19 errata-xmlrpc 2022-05-10 14:47:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988

Comment 20 Product Security DevOps Team 2022-05-11 17:46:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1011


Note You need to log in before you can comment on or make changes to this bug.