full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Locked fasync file descrip

[Full-disclosure] Locked fasync file descriptors can be referenced after free in >= 2.6.28

From: Tavis Ormandy <taviso_at_nospam>
Date: Thu Jan 14 2010 - 15:45:02 GMT
To: full-disclosure@lists.grok.org.uk

Locked fasync file descriptors can be referenced after free in >= 2.6.28

A problem has been discovered handling locked fasync file descriptors.

Quoting analysis from Linus, "The problem is that the *same* file descriptor can be on *multiple* fasync lists. It can be on a particular fasync list just once, but file locking is special, and uses the 'fl->fl_fasync' list to add an arbitrary file to its own fasync list - regardless of what the underlying device driver or whatever is."

This is an issue because fasync_helper() will clear the FASYNC flag as it incorrectly assumes a file can only be on one fasync list.


When the descriptor is finally closed and the file released, the FASYNC flag will no longer be set and so it will not be removed the fasync list, thus leaving a dangling reference to the freed structure.

A testcase for this issue which should result in an OOPS caused by a userland pointer dereference is available here.


(gdb) bt

#0 __kill_fasync (fa=0xdf294820, sig=29, band=131073) at /build/buildd/linux-2.6.31/fs/fcntl.c:587 #1 0xc01f4a32 in kill_fasync (fp=0xc089be64, sig=29, band=131073) at /build/buildd/linux-2.6.31/fs/fcntl.c:614
(gdb) list
592 return; 593 } 594 fown = &fa->fa_file->f_owner; 595 /* Don't send SIGURG to processes which have not set a 596 queued signum: SIGURG has its own default signalling 597 mechanism. */ 598 if (!(sig == SIGURG && fown->signum == 0)) 599 send_sigio(fown, fa->fa_fd, band); 600 fa = fa->fa_next; 601 }
(gdb) p fa->fa_file->f_owner

$37 = {lock = {raw_lock = {lock = 2621449}}, pid = 0x1c001d, pid_type = 1179403647, uid = 65793, euid = 0, signum = 0}

(this is obviously nonsense, and send_sigio is going to explode)


Linus has committed the following patch to address this issue http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=53281b6d3

This bug was discovered by Tavis Ormandy.

Thanks to legendary kernel hackers Linus, Matt Mackall and Al Viro who did most of the hard work tracking down the root cause. -- ------------------------------------- taviso@sdf.lonestar.org | finger me for my gpg key. ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/