Devils Are in the File Descriptors: It Is Time To Catch Them All

The presentation discusses vulnerabilities in the FDX Port operation and FD import operation in kernel, and suggests detecting and fixing these issues.

• FDX Port operation vulnerabilities can lead to use after free issues, and GPU drivers are more likely to introduce such issues
• Two vulnerabilities were found in the um melee GPU driver, affecting many Android devices
• FD import operation vulnerabilities can cause FD type confusion, and issues were found in vendor kernels
• Detecting code can be added to kernel APIs to locate these issues
• Future work includes finding similar issues in other predictable resources such as IDR and process PID

The speaker found that importing NFD many times is never a good idea, and suggested that kernel should import FD only once to get the file object and all the following code should process this file object directly.

"Everything is a file" describes an important feature of Unix. File descriptor or fd is widely used in the Linux kernel. Exporting an fd to user space and importing an fd from user space are very common and basic operations in the Linux kernel. However, we discovered that there are many types of high-risk vulnerabilities lurking in the usage of these operations.We discovered that the usage of fd importing operations in the Linux kernel can be a very vulnerable scenario. Several new types of vulnerabilities were found in the scenario and will be revealed for the first time. We also found that known types of vulnerabilities like type confusion are still widespread in the scenario unexpectedly. Moreover, we found a dozen vulnerabilities in the usage of fd exporting operations in kernels. These vulnerabilities exist in the Linux and Android kernels, affecting millions of devices. A comprehensive overview of vulnerabilities in the usage of fd operations will be summarized and thoroughly disclosed in this presentation.We discovered some interesting facts about the vulnerabilities in the usage of fd operations. First, the GPU drivers are more vulnerable. Examples of vulnerable ones include ARM mali GPU driver, AMD GPU driver, etc. Second, the kernel drivers which use the dma-buf interfaces are more vulnerable in the above examples. Third, because of the peculiarities of these vulnerabilities, some of them can hardly be found by fuzzers like syzkaller. We will delve deeper into these facts in the presentation.To overcome the difficulty of finding the vulnerabilities in the usage of fd operations, we developed several creative methods to guide fuzzers. With the help of such methods, we can easily find the vulnerabilities in the above-described scenarios. Coding tips will also be given for the purpose of preventing such vulnerabilities related to file descriptors.