Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 May 2022 00:38:51 +0800
From: Minh Yuan <yuanmingbuaa@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version

By the way, this race issue has been assigned CVE-2022-1652 by Red Hat.

Minh Yuan <yuanmingbuaa@...il.com> 于2022年5月10日周二 14:59写道:

> Hi everyone,
>
> My fuzzer discovered another concurrency uaf between reset_interrupt and
> floppy_end_request in the latest kernel version (5.17.5 for now).
>
> The root cause is that after deallocating current_req in
> floppy_end_request, reset_interrupt still holds the freed
> current_req->error_count and accesses it concurrently.
>
> Here is the KASAN report:
>
> BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460
>
> Call Trace:
>  __dump_stack
>  dump_stack+0x1e9/0x30e
>  print_address_description+0x6a/0x310
>  kasan_report_error
>  kasan_report+0x1bf/0x290
>  bad_flp_intr+0x332/0x460
>  reset_interrupt+0x16e/0x1b0
>  process_one_work+0xc61/0x1530
>  worker_thread+0xa7f/0x1440
>  kthread+0x346/0x370
>  ret_from_fork+0x24/0x30
>
> Allocated by task 12590:
>  kmem_cache_alloc_node+0x200/0x390
>  alloc_request_simple+0x42/0x70
>  mempool_alloc+0x166/0x6b0
>  __get_request+0x92c/0x1c50
>  get_request+0x756/0x10e0
>  blk_queue_bio+0x523/0x12d0
> audit: type=1804 audit(1651287706.088:1517): pid=13750 uid=0 auid=0 ses=6
> subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2"
> name=2F73797A6B616C6C65722D746573746469723539363038303737352F73797A6B616C6C65722E6C56656931332F313737362F48C7C060
> dev="sda" ino=136083 res=1
>  generic_make_request+0x561/0xe20
>  submit_bio+0x259/0x560
> audit: type=1800 audit(1651287706.088:1518): pid=13752 uid=0 auid=0 ses=6
> subj==unconfined op=collect_data cause=failed(directio)
> comm="syz-executor.2" name=48C7C060 dev="sda" ino=136083 res=0
>  __floppy_read_block_0
>  floppy_revalidate+0xa70/0xd90
>  check_disk_change+0x11e/0x1a0
>  floppy_open+0x54d/0x890
>  __blkdev_get+0x3ce/0x1ab0
>  blkdev_get+0x986/0xb20
>  do_dentry_open+0x91d/0x10a0
>  do_last
>  path_openat+0x298d/0x6de0
>  do_filp_open+0x24a/0x4c0
>  do_sys_open+0x361/0x5d0
>  do_syscall_64+0x111/0x710
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 2856:
>  __cache_free
>  kmem_cache_free+0xc8/0x260
>  blk_free_request
>  __blk_put_request+0x4d8/0xcd0
>  __blk_end_bidi_request+0x1d4/0x260
>  floppy_end_request
>  request_done+0x701/0x950
>  floppy_shutdown+0x14a/0x2b0
>  process_one_work+0xc61/0x1530
>  worker_thread+0xa7f/0x1440
>  kthread+0x346/0x370
>  ret_from_fork+0x24/0x30
>
>
>
> Timeline:
> * 04.30.22 - Vulnerability reported to security@...nel.org.
> * 05.01.22 - Vulnerability reported to linux-distros@...openwall.org.
> * 05.10.22 - Vulnerability opened.
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.