Allele Security Alert
userfaultfd bypasses tmpfs file permission
Linux kernel versions before 4.20
Linux kernel versions before 4.14.87
Linux kernel versions before 4.19.7
Linux kernel versions before 4.19.11
Linux kernel versions before 4.14.90
Linux kernel version 4.20
Linux kernel version 4.14.87
Linux kernel version 4.19.7
Linux kernel version 4.19.11
Linux kernel version 4.14.90
Proof of concept
In Linux kernel versions since 4.11, userfaultfd can be used to write arbitrary data into holes in sparse tmpfs files to which an attacker has read-only access.
Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files.
Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file’s mapping. This API also works on readonly shared mappings.
This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.
Jann Horn (Google Project Zero)
Linux: userfaultfd bypasses tmpfs file permissions
Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)
userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
CVE-2018-18397 - Red Hat Customer Portal
CVE-2018-18397 | SUSE
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 10, 2019