Show Notes

Getting into Vulnerability Research and a FUSE use-after-free

With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO in the open call the read/write requests can be sent directly to the userspace filesystem. In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process. After the write is completed, FUSE still still read those pages but the memory from the target program might have been reused for something else, giving FUSE access to potentially sensitive information. They used this to leak a headh from /etc/shadow as a proof of concept.

With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO in the open call the read/write requests can be sent directly to the userspace filesystem. In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process. After the write is completed, FUSE still still read those pages but the memory from the target program might have been reused for something else, giving FUSE access to potentially sensitive information. They used this to leak a headh from /etc/shadow as a proof of concept.

} }