On Wed, Jul 10, 2019 at 06:26:29PM +0800, bsauce wrote: > In seq_release(), 'm->buf' points to a chunk. It is freed but not cleared to > null right away. It can be reused by seq_read() or srm_env_proc_write().
Well, no. The ->release method is called when there are no more file descriptors referring to this file. So there's no way to call seq_read() or srm_env_proc_write() after seq_release() is called. > For example, /arch/alpha/kernel/srm_env.c provide several interfaces to > userspace, like 'single_release', 'seq_read' and 'srm_env_proc_write'. > Thus in userspace, one can exploit this UAF vulnerability to escape privilege. Please provide a PoC.
