Linux-Fsdevel Archive on
help / color / mirror / Atom feed
* Reporting a use-after-free read bug in userfaultfd_release()
@ 2020-07-17 11:45 Peilin Ye
  0 siblings, 0 replies; only message in thread
From: Peilin Ye @ 2020-07-17 11:45 UTC (permalink / raw)
  To: Daniel Colascione
  Cc: timmurray, selinux, linux-security-module, linux-fsdevel,
	linux-kernel, kvm, viro, paul, nnk, sds, lokeshgidra, jmorris

Hi all,

Syzbot reported the following use-after-free bug in

It seems to be caused by this patch. I took a look at the stack trace.
In the patch:

	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
	if (fd < 0) {
		goto out;

If get_unused_fd_flags() fails, `ctx` is freed. Later however, before
returning back to userland, userfaultfd_release() is called and tries to
use `ctx` again, causing a use-after-free bug.

The syzbot reproducer does a setrlimit() then a userfaultfd(). The
former sets a hard limit on number of open files to zero, which causes
get_unused_fd_flags() to fail.

Thank you,

Peilin Ye

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-07-17 11:45 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 11:45 Reporting a use-after-free read bug in userfaultfd_release() Peilin Ye

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).