Trick #1
If you have an arbitray kfree and need a leak - Use setxattr technique and block on the last byte of the copy. Then free the buffer and reallocate another object, unblock the copy and leak contents of the object using getxattr.
This would also work if you have a double free w no knowledge of the address being freed.
NOTES: There’re hundreds of paths like setxattr. All you need is a heap allocation with a user-controlled size followed by
copy_from_user
. But the technique is pretty much dead on newer kernels/distros as with most techniques that become public. But you can do the same thing with FUSE from unprivileged :) you can mmap a normal map next to a FUSE file mapping to block after a partial write.
Which distros allow userfaultfd or FUSE from unpriv by default?
-
Most of them allow fuse since fusermount/fusermount3 is installed as a setuid binary by upstream and permits it unless they’re changing something. I think pretty much any of them with packages for fuse2/fuse3 and the typical approach to package management, etc.
-
Not really an answer to your question, but if you can create unprivileged user+mount namespaces, you can mount FUSE in there no matter how the distro has configured the normal FUSE tooling (unless the kernel is too old for that).