Full Report
grsecurity has a Linux kernel with a bunch of extra security protections in it. In this post, they detail a protection they created that was inspired from a real bug they found within the Nitro Enclaves driver via bad error handling. The authors found a bug in the kernel driver resulted in a stale file pointer being in the processes file descriptor table. If a reallocation of the file object happened then this dangling reference would have allowed for sensitive data to be viewed, such as /etc/shadow. What's interesting about this bug is that this was immune to all other mitigations in the kernel, including the ones added by grsecurity. Type confusion isn't required, ASLR leaks or anything else. All we need is to get lucky with the file pointer and we're good to go. In essence, we have a same-type, same-address use after free bug. The authors chose to add an extra field to the struct file type that can be three values. During the getting and setting of the pointer data, these values are checked for validity. This isn't enough to completely kill the bug class altogether though from the reuse of a dangling pointer, since the updating may make the pointer valid once again. To fix this, they added a layer of randomness to it. Reallocated objects will use a different memory address now. This makes the dangling pointer not point to the beginning of the reallocated object. Since the magic value cannot be found, the validation fails. This only works 90% of the time though. They found another occurrence of this vulnerability class within the vmwgfx driver. Once they triggered it, the check found the invalid FILE pointer. Pretty neat detection of the vulnerability. This helps for the FILE object but what about the other types? The struct cred reuse can be a horrifying vulnerability class that they decided to mitigate as well. They added a canary to the structure but didn't want to fix all accesses of it. So, they added a GCC compiler plugin to do this for them automatically! This was tested with a known vulnerability to see if it worked as well. Overall, this is an interesting post into the world of kernel security and mitigations. Good explanations and walk through of various mitgiations.
Analysis Summary
# Vulnerability: Same-Type, Same-Address Use-After-Free in Linux Kernel Drivers
## CVE Details
- **CVE ID:** CVE-2022-22942 (Primary example), CVE-2021-31440 (Mentions of vmwgfx), and various dangling file descriptor bugs (e.g., CVE-2022-0435).
- **CVSS Score:** 7.8 (High) - *Estimated based on local privilege escalation impact.*
- **CWE:** CWE-416 (Use After Free), CWE-672 (Operation on a Resource after Expiration or Release)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:**
- Nitro Enclaves (virt/amazon/nitro_enclaves) prior to fixes in 2021/2022.
- VMware Virtual GPU driver (vmwgfx).
- Systems using `fastrpc`, `iio`, or `fanotify` with identified stale FD bugs.
- **Configurations:** Systems where unprivileged users can trigger driver error paths that leave stale entries in the process file descriptor (FD) table.
## Vulnerability Description
The flaw is a specific class of Use-After-Free (UAF) where an object is released but a "stale" pointer remains in the process's FD table due to poor error handling. Because the Linux kernel uses dedicated slab caches for specific object types (like `struct file`), a subsequently allocated file object by a privileged process (e.g., `passwd` or a mail server) is likely to occupy the exact same memory address.
Since the object type, address, and bounds remain identical, standard mitigations like KASLR, ASLR, or heap separation (AUTOSLAB) are bypassed. The attacker uses the original stale FD to interact with the new, privileged file object.
## Exploitation
- **Status:** PoC available. Demonstrated capability to read `/etc/shadow` by racing with the `passwd` binary.
- **Complexity:** Medium (Requires timing/racing the reallocation of the freed object).
- **Attack Vector:** Local (Requires local shell access to trigger driver IOCTLs).
## Impact
- **Confidentiality:** High (Access to any file opened by privileged processes, including SSH keys and password hashes).
- **Integrity:** High (Potential to write to privileged files if the reallocated object is opened with write permissions).
- **Availability:** Low (Primary goal is data theft/privilege escalation).
## Remediation
### Patches
- **Upstream Linux:** Fixes applied to specific drivers:
- Nitro Enclaves: Upstreamed fix for faulty error handling.
- FastRPC/IIO/Fanotify: Targeted patches to prevent double `fput()` or stale FD references.
- **grsecurity:** Implemented systemic mitigations (see below) rather than per-driver patches.
### Workarounds
- Disable `CONFIG_IO_URING` (often cited as a major source of FD-related UAF).
- Restrict access to vulnerable driver nodes (e.g., `/dev/nitro_enclaves`) to trusted users only.
## Detection
- **Indicators of Compromise:** Unusual file access patterns from unprivileged processes toward sensitive system files.
- **Detection Methods:**
- **grsecurity Features:** Kernels with grsecurity will detect the "magic value" mismatch in `struct file` or canary corruption in `struct cred` and terminate the task using `DEFERRED_BUG_ON`.
- **KASAN:** May detect the bug during testing if the reallocation falls within the quarantine window, though less effective against "patient" attackers.
## References
- **grsecurity Blog:** hxxps://grsecurity[.]net/exploiting_and_defending_against_same_type_object_reuse
- **Nitro Enclaves Bug Report:** hxxps://www[.]openwall[.]com/lists/oss-security/2021/04/29/5
- **PoC Code:** hxxps://grsecurity[.]net/canary_kernel_mine/cve-2022-22942.c