Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2022 09:07:55 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1976: Linux Kernel: A use-after-free in __lock_acquire

Hi all,

=*=*=*=*=*=*=*=*=   BUG DETAILS  =*=*=*=*=*=*=*=*=

The old inflight tracking for any file type that has io_uring_fops needs to
be assigned, otherwise
trivial circular references never get the ctx cleaned up and hence it'll
leak.

This issue was reported on May 31 and assigned CVE-2022-1976.

C repro is attached.


=*=*=*=*=*=*=*=*=     BACKTRACE     =*=*=*=*=*=*=*=*=

BUG: KASAN: use-after-free in __lock_acquire+0x385f/0x5840
root/opt/kernel/kernel/locking/lockdep.c:4899
Read of size 8 at addr ffff8880682db3b8 by task kworker/1:9/9642

CPU: 1 PID: 9642 Comm: kworker/1:9 Not tainted 5.18.0 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events io_fallback_req_func
Call Trace:
 <TASK>
 __dump_stack root/opt/kernel/lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 root/opt/kernel/lib/dump_stack.c:106
 print_address_description root/opt/kernel/mm/kasan/report.c:313 [inline]
 print_report.cold+0xe5/0x659 root/opt/kernel/mm/kasan/report.c:429
 kasan_report+0x8a/0x1b0 root/opt/kernel/mm/kasan/report.c:491
 __lock_acquire+0x385f/0x5840 root/opt/kernel/kernel/locking/lockdep.c:4899
 lock_acquire root/opt/kernel/kernel/locking/lockdep.c:5641 [inline]
 lock_acquire+0x1ab/0x520 root/opt/kernel/kernel/locking/lockdep.c:5606
 __raw_spin_lock_irq root/opt/kernel/./include/linux/spinlock_api_smp.h:119
[inline]
 _raw_spin_lock_irq+0x32/0x50 root/opt/kernel/kernel/locking/spinlock.c:170
 spin_lock_irq root/opt/kernel/./include/linux/spinlock.h:374 [inline]
 io_poll_remove_entry root/opt/kernel/fs/io_uring.c:6840 [inline]
 io_poll_remove_entries.part.0+0x15f/0x7d0
root/opt/kernel/fs/io_uring.c:6873
 io_poll_remove_entries root/opt/kernel/fs/io_uring.c:6853 [inline]
 io_poll_task_func+0x187/0x500 root/opt/kernel/fs/io_uring.c:6971
 io_fallback_req_func+0xfa/0x1b0 root/opt/kernel/fs/io_uring.c:1824
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 11840:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track root/opt/kernel/mm/kasan/common.c:45 [inline]
 set_alloc_info root/opt/kernel/mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 root/opt/kernel/mm/kasan/common.c:524
 kasan_kmalloc root/opt/kernel/./include/linux/kasan.h:234 [inline]
 __kmalloc+0x1c9/0x4c0 root/opt/kernel/mm/slub.c:4414
 io_ring_ctx_alloc root/opt/kernel/fs/io_uring.c:1838 [inline]
 io_uring_create root/opt/kernel/fs/io_uring.c:12396 [inline]
 io_uring_setup.cold+0x176/0x2a59 root/opt/kernel/fs/io_uring.c:12535
 do_syscall_x64 root/opt/kernel/arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 root/opt/kernel/arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 787:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 root/opt/kernel/mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 root/opt/kernel/mm/kasan/generic.c:370
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:366 [inline]
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0x11d/0x190 root/opt/kernel/mm/kasan/common.c:374
 kasan_slab_free root/opt/kernel/./include/linux/kasan.h:200 [inline]
 slab_free_hook root/opt/kernel/mm/slub.c:1728 [inline]
 slab_free_freelist_hook root/opt/kernel/mm/slub.c:1754 [inline]
 slab_free root/opt/kernel/mm/slub.c:3510 [inline]
 kfree+0xec/0x4b0 root/opt/kernel/mm/slub.c:4552
 io_ring_ctx_free root/opt/kernel/fs/io_uring.c:11159 [inline]
 io_ring_exit_work+0xefb/0xf43 root/opt/kernel/fs/io_uring.c:11303
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 root/opt/kernel/mm/kasan/generic.c:348
 insert_work+0x4a/0x390 root/opt/kernel/kernel/workqueue.c:1358
 __queue_work+0x4dd/0x1140 root/opt/kernel/kernel/workqueue.c:1517
 queue_work_on+0xee/0x110 root/opt/kernel/kernel/workqueue.c:1545
 queue_work root/opt/kernel/./include/linux/workqueue.h:502 [inline]
 io_ring_ctx_wait_and_kill+0x2b6/0x2ec root/opt/kernel/fs/io_uring.c:11357
 io_uring_release+0x42/0x46 root/opt/kernel/fs/io_uring.c:11365
 __fput+0x277/0x9d0 root/opt/kernel/fs/file_table.c:317
 task_work_run+0xe0/0x1a0 root/opt/kernel/kernel/task_work.c:177
 exit_task_work root/opt/kernel/./include/linux/task_work.h:38 [inline]
 do_exit+0xb16/0x2dc0 root/opt/kernel/kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 root/opt/kernel/kernel/exit.c:925
 get_signal+0x2847/0x2880 root/opt/kernel/kernel/signal.c:2864
 arch_do_signal_or_restart+0x81/0x1e30
root/opt/kernel/arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop root/opt/kernel/kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x174/0x260
root/opt/kernel/kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work root/opt/kernel/kernel/entry/common.c:283
[inline]
 syscall_exit_to_user_mode+0x19/0x60
root/opt/kernel/kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 root/opt/kernel/arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff8880682db000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 952 bytes inside of
 2048-byte region [ffff8880682db000, ffff8880682db800)

The buggy address belongs to the physical page:
page:ffffea0001a0b600 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x682d8
head:ffffea0001a0b600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffffea00019e8e00 dead000000000002 ffff888010c42000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
pid 6529, tgid 6529 (syz-executor.2), ts 33495069085, free_ts 0
 set_page_owner root/opt/kernel/./include/linux/page_owner.h:31 [inline]
 post_alloc_hook root/opt/kernel/mm/page_alloc.c:2434 [inline]
 prep_new_page+0x297/0x330 root/opt/kernel/mm/page_alloc.c:2441
 get_page_from_freelist+0x210e/0x3ab0 root/opt/kernel/mm/page_alloc.c:4182
 __alloc_pages+0x30c/0x6e0 root/opt/kernel/mm/page_alloc.c:5408
 alloc_pages+0x119/0x250 root/opt/kernel/mm/mempolicy.c:2272
 alloc_slab_page root/opt/kernel/mm/slub.c:1799 [inline]
 allocate_slab root/opt/kernel/mm/slub.c:1944 [inline]
 new_slab+0x2a9/0x3f0 root/opt/kernel/mm/slub.c:2004
 ___slab_alloc+0xc62/0x1080 root/opt/kernel/mm/slub.c:3005
 __slab_alloc.isra.0+0x4d/0xa0 root/opt/kernel/mm/slub.c:3092
 slab_alloc_node root/opt/kernel/mm/slub.c:3183 [inline]
 slab_alloc root/opt/kernel/mm/slub.c:3225 [inline]
 kmem_cache_alloc_trace+0x383/0x460 root/opt/kernel/mm/slub.c:3256
 kmalloc root/opt/kernel/./include/linux/slab.h:581 [inline]
 kzalloc root/opt/kernel/./include/linux/slab.h:714 [inline]
 ipv6_add_dev root/opt/kernel/net/ipv6/addrconf.c:378 [inline]
 ipv6_add_dev+0xfe/0x12d0 root/opt/kernel/net/ipv6/addrconf.c:368
 addrconf_notify+0x614/0x1bb0 root/opt/kernel/net/ipv6/addrconf.c:3521
 notifier_call_chain+0xb5/0x200 root/opt/kernel/kernel/notifier.c:84
 call_netdevice_notifiers_info root/opt/kernel/net/core/dev.c:1938 [inline]
 call_netdevice_notifiers_info+0xb5/0x130
root/opt/kernel/net/core/dev.c:1923
 call_netdevice_notifiers_extack root/opt/kernel/net/core/dev.c:1976
[inline]
 call_netdevice_notifiers root/opt/kernel/net/core/dev.c:1990 [inline]
 register_netdevice+0xeb5/0x12b0 root/opt/kernel/net/core/dev.c:9994
 veth_newlink+0x405/0xa90 root/opt/kernel/drivers/net/veth.c:1764
 __rtnl_newlink+0xf52/0x1600 root/opt/kernel/net/core/rtnetlink.c:3483
 rtnl_newlink+0x64/0xa0 root/opt/kernel/net/core/rtnetlink.c:3531
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880682db280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880682db380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8880682db400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb


=*=*=*=*=*=*=*=*=     PATCH     =*=*=*=*=*=*=*=*=

The patch has been merged into the Linux kernel mainline and stable-master
tree.
It can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7


=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Zhixin Li from Zero-one Security <sundaywind2004@...il.com>


Thanks.

Content of type "text/html" skipped

View attachment "repro.c" of type "text/x-c-code" (12613 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.