Security researchers have discovered a size_t-to-int conversion vulnerability in the Linux kernel file system, and believe that all Linux kernel versions since 2014 could be affected. The vulnerability, named Sequoia (CVE-2021-33909), is a privilege promotion vulnerability that allows low-power users to gain root access.

How the Sequoia vulnerability works

The Linux kernel file system interface is a hierarchical architecture, including the user interface layer, the file system implementation and the storage device driver. It is the most important function of the operating system and is very common in most Linux operating systems.

The Linux kernel’s seq_file interface produces a virtual file containing a sequence of records, each of which must fit into the seq_file buffer. When it runs out of space, it simply doubles its volume to expand the space. However, what happens if size_t is passed to a function whose size is a 32-bit integer rather than size_t? This is exactly how the Sequoia vulnerability works.

Security researchers from Qualys say: By creating, mounting, and deleting a deep directory structure with a total path length of more than 1GB, and by opening ()s and read()s /proc/self/mountinfo, an unprivileged local attacker can implement out-of-memory writes through a series of other operations. An attacker can use this to corrupt data, crash the system, or even execute unauthorized code.

The Qualys researchers successfully exploited the vulnerability to gain full root access on the default installation Settings of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 workstations. Other Linux distributions could also have this vulnerability and be exploited.

The solution

The Qualys team discovered the vulnerability in early June, and Red Hat has now released a patch. On July 20, Linux kernel maintainer Greg Kroah-Hartman released a kernel patch for Sequoia for Linux kernel version 5.13.4.

If unable to upgrade the kernel, users can still through the/proc/sys/kernel/unprivileged_userns_clone is set to 0 to alleviate the problem, it can prevent the attacker long directory in the user name space. However, an attacker can still mount a long directory through the user-space file system (FUSE). When the long directory exceeds 8MB, Systemd will exhaust its stack and crash, causing the entire operating system to crash.

Users can also use the/proc/sys/kernel/unprivileged_bpf_disabled is set to 1, in order to prevent the attacker will eBPF program is loaded into the kernel.

However, the above mitigation measures only prevent the specific exploits of Qualys, and there may be other attacks. To fully fix the vulnerability, the kernel must be patched.

Reference link: