ACE Seminar: How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel

Speaker: Pengfei Wang

Date/Time: 15-Sep-2016, 15:00 UTC

Venue: Engineering Front Executive Suite 103



Race conditions are the most common cause for concurrency bugs in multi-threaded programs. A double-fetch bug is a special case of a Time-Of-Check to Time-Of-Use issue that occurs in the use of shared memory under race condition between kernel space and user space. We present the first (to the best of our knowledge) analysis and study on double fetches in the Linux kernel. With the help of a static pattern-based analysis, we identify typical situations in which double fetches occur. We categorize the 90 identified double-fetch situations into three scenarios and discuss each of the three scenarios in detail. A statistical analysis shows that double fetches are more likely to occur in drivers (57 out of 90) which are hard to analyze with a dynamic approach when the hardware is not available. Furthermore, we proposed an approach on Coccinelle matching engine, which found six previously unknown double-fetch bugs, four of them in drivers, and three of them are exploitable double-fetch vulnerabilities. Our report has been adopted by the Coccinelle team and is currently being integrated into Linux kernel checking via Coccinelle.


Pengfei Wang, Phd student from National University of Defense Technology, China. Visiting student to CREST(Centre for Research on Evolution, Search and Testing) of UCL from Oct. 2015 to Oct. 2016, supervised by Dr. Jens Krinke. Research interests include system security, concurrency bugs.

Add to Calendar

This page was last modified on 27 Mar 2014.