"Everything is a file" describes an important feature of Unix. File descriptor or fd is widely used in the Linux kernel. Exporting an fd to user space and importing an fd from user space are very common and basic operations in the Linux kernel. However, we discovered that there are many types of high-risk vulnerabilities lurking in the usage of these operations.
We discovered that the usage of fd importing operations in the Linux kernel can be a very vulnerable scenario. Several new types of vulnerabilities were found in the scenario and will be revealed for the first time. We also found that known types of vulnerabilities like type confusion are still widespread in the scenario unexpectedly. Moreover, we found a dozen vulnerabilities in the usage of fd exporting operations in kernels. These vulnerabilities exist in the Linux and Android kernels, affecting millions of devices. A comprehensive overview of vulnerabilities in the usage of fd operations will be summarized and thoroughly disclosed in this presentation.
We discovered some interesting facts about the vulnerabilities in the usage of fd operations. First, the GPU drivers are more vulnerable. Examples of vulnerable ones include ARM mali GPU driver, AMD GPU driver, etc. Second, the kernel drivers which use the dma-buf interfaces are more vulnerable in the above examples. Third, because of the peculiarities of these vulnerabilities, some of them can hardly be found by fuzzers like syzkaller. We will delve deeper into these facts in the presentation.
To overcome the difficulty of finding the vulnerabilities in the usage of fd operations, we developed several creative methods to guide fuzzers. With the help of such methods, we can easily find the vulnerabilities in the above-described scenarios. Coding tips will also be given for the purpose of preventing such vulnerabilities related to file descriptors.