Linux kernel: erroneous error handling after fd_install()
Original Post:
We discussed this vulnerability during Episode 116 on 01 February 2022
There is a bit of a race condition in some areas of kernel code a file that has been closed by userspace will still be accessed by the kernel.
The issue is whenfd_install(fd, file)
is called, which exposes the file to the userland and then any further work on fd
or file
is attempted. The problem is that as it has been exposed to the userspace, it can be closed by userspace immediately leading to a use-after-free.