[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 14 Dec 2022 23:22:38 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: usb: A use-after-free Write in put_dev
This was assigned CVE-2022-4382.
=*=*=*=*=*=*=*=*= CREDIT =*=*=*=*=*=*=*=*=
Zhixin Li from Zero-one Security <sundaywind2004@...il.com>
Thanks.
On Tue, Dec 13, 2022 at 2:53 PM Gerald Lee <sundaywind2004@...il.com> wrote:
>
> Hi all,
>
> =*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*=
>
> This use-after-free violation is caused by a race among the superblock
> operations in the gadgetfs driver. The vulnerability may not be a big
> deal, because the normal user can't execute umount. It could be
> triggered by yanking out a device that is running the gadgetfs side,
> but I don't know how to do that.
>
> C repro is attached.
>
> =*=*=*=*=*=*=*=*= BACKTRACE =*=*=*=*=*=*=*=*=
> BUG: KASAN: use-after-free in instrument_atomic_read_write
> include/linux/instrumented.h:102 [inline]
> BUG: KASAN: use-after-free in atomic_fetch_sub_release
> include/linux/atomic/atomic-instrumented.h:176 [inline]
> BUG: KASAN: use-after-free in __refcount_sub_and_test
> include/linux/refcount.h:272 [inline]
> BUG: KASAN: use-after-free in __refcount_dec_and_test
> include/linux/refcount.h:315 [inline]
> BUG: KASAN: use-after-free in refcount_dec_and_test
> include/linux/refcount.h:333 [inline]
> BUG: KASAN: use-after-free in put_dev+0x22/0xd0
> drivers/usb/gadget/legacy/inode.c:159
> Write of size 4 at addr ffff8880436d2040 by task syz-executor.5/7587
>
> CPU: 1 PID: 7587 Comm: syz-executor.5 Not tainted 6.1.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
> print_address_description mm/kasan/report.c:284 [inline]
> print_report+0x15e/0x45d mm/kasan/report.c:395
> kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
> check_region_inline mm/kasan/generic.c:183 [inline]
> kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
> instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
> atomic_fetch_sub_release
> include/linux/atomic/atomic-instrumented.h:176 [inline]
> __refcount_sub_and_test include/linux/refcount.h:272 [inline]
> __refcount_dec_and_test include/linux/refcount.h:315 [inline]
> refcount_dec_and_test include/linux/refcount.h:333 [inline]
> put_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159
> gadgetfs_kill_sb+0x2e/0x60 drivers/usb/gadget/legacy/inode.c:2086
> deactivate_locked_super+0x98/0x160 fs/super.c:332
> vfs_get_super fs/super.c:1190 [inline]
> get_tree_single+0x188/0x1d0 fs/super.c:1207
> vfs_get_tree+0x8d/0x2f0 fs/super.c:1531
> vfs_fsconfig_locked fs/fsopen.c:232 [inline]
> __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f8d5129078d
> Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f8d52024bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
> RAX: ffffffffffffffda RBX: 00007f8d513cbf80 RCX: 00007f8d5129078d
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
> RBP: 00007f8d512feb02 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffd48293eff R14: 00007ffd48294090 R15: 00007f8d52024d80
> </TASK>
>
> Allocated by task 7561:
> kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
> kasan_set_track+0x25/0x30 mm/kasan/common.c:52
> ____kasan_kmalloc mm/kasan/common.c:371 [inline]
> ____kasan_kmalloc mm/kasan/common.c:330 [inline]
> __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380
> kmalloc include/linux/slab.h:553 [inline]
> kzalloc include/linux/slab.h:689 [inline]
> dev_new drivers/usb/gadget/legacy/inode.c:170 [inline]
> gadgetfs_fill_super+0x1e4/0x460 drivers/usb/gadget/legacy/inode.c:2041
> vfs_get_super fs/super.c:1169 [inline]
> get_tree_single+0xd6/0x1d0 fs/super.c:1207
> vfs_get_tree+0x8d/0x2f0 fs/super.c:1531
> vfs_fsconfig_locked fs/fsopen.c:232 [inline]
> __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Last potentially related work creation:
> kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
> call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
> pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736
> process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
> worker_thread+0x669/0x1090 kernel/workqueue.c:2436
> kthread+0x2e8/0x3a0 kernel/kthread.c:376
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
>
> Second to last potentially related work creation:
> kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
> call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
> pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736
> process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
> worker_thread+0x669/0x1090 kernel/workqueue.c:2436
> kthread+0x2e8/0x3a0 kernel/kthread.c:376
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
>
> The buggy address belongs to the object at ffff8880436d2000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 64 bytes inside of
> 1024-byte region [ffff8880436d2000, ffff8880436d2400)
>
> The buggy address belongs to the physical page:
> page:ffffea00010db400 refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x436d0
> head:ffffea00010db400 order:3 compound_mapcount:0 compound_pincount:0
> flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888012041dc0
> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask
> 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6599,
> tgid 6599 (syz-executor.0), ts 29294571719, free_ts 29285126043
> prep_new_page mm/page_alloc.c:2539 [inline]
> get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4291
> __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5558
> alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
> alloc_slab_page mm/slub.c:1794 [inline]
> allocate_slab+0x213/0x300 mm/slub.c:1939
> new_slab mm/slub.c:1992 [inline]
> ___slab_alloc+0xa9b/0x13e0 mm/slub.c:3180
> __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
> slab_alloc_node mm/slub.c:3364 [inline]
> __kmem_cache_alloc_node+0x199/0x3e0 mm/slub.c:3437
> kmalloc_trace+0x26/0x60 mm/slab_common.c:1045
> kmalloc include/linux/slab.h:553 [inline]
> kzalloc include/linux/slab.h:689 [inline]
> batadv_hardif_add_interface net/batman-adv/hard-interface.c:864 [inline]
> batadv_hard_if_event+0x8a1/0x1450 net/batman-adv/hard-interface.c:952
> notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
> call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
> call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
> call_netdevice_notifiers net/core/dev.c:1997 [inline]
> register_netdevice+0x10bf/0x1670 net/core/dev.c:10090
> veth_newlink+0x4d1/0x990 drivers/net/veth.c:1795
> rtnl_newlink_create net/core/rtnetlink.c:3364 [inline]
> __rtnl_newlink+0x1084/0x17e0 net/core/rtnetlink.c:3581
> rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3594
> rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6091
> page last free stack trace:
> reset_page_owner include/linux/page_owner.h:24 [inline]
> free_pages_prepare mm/page_alloc.c:1459 [inline]
> free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
> free_unref_page_prepare mm/page_alloc.c:3387 [inline]
> free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
> qlink_free mm/kasan/quarantine.c:168 [inline]
> qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
> kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
> __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
> kasan_slab_alloc include/linux/kasan.h:201 [inline]
> slab_post_alloc_hook mm/slab.h:737 [inline]
> slab_alloc_node mm/slub.c:3398 [inline]
> __kmem_cache_alloc_node+0x2e2/0x3e0 mm/slub.c:3437
> kmalloc_trace+0x26/0x60 mm/slab_common.c:1045
> kmalloc include/linux/slab.h:553 [inline]
> kzalloc include/linux/slab.h:689 [inline]
> kset_create lib/kobject.c:937 [inline]
> kset_create_and_add+0x4f/0x1a0 lib/kobject.c:980
> register_queue_kobjects net/core/net-sysfs.c:1766 [inline]
> netdev_register_kobject+0x1ca/0x400 net/core/net-sysfs.c:2019
> register_netdevice+0xd99/0x1670 net/core/dev.c:10057
> __ip_tunnel_create+0x398/0x570 net/ipv4/ip_tunnel.c:267
> ip_tunnel_init_net+0x2ec/0x9f0 net/ipv4/ip_tunnel.c:1073
> ops_init+0xb9/0x680 net/core/net_namespace.c:135
> setup_net+0x5d1/0xc50 net/core/net_namespace.c:332
> copy_net_ns+0x31c/0x760 net/core/net_namespace.c:478
> create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
>
> Memory state around the buggy address:
> ffff8880436d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880436d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff8880436d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880436d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880436d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> =*=*=*=*=*=*=*=*= PATCH =*=*=*=*=*=*=*=*=
>
> The patch has been done by Alan Stern, and it can be found here:
> https://lore.kernel.org/linux-usb/Y5dV11OoM3ojxNHy@rowland.harvard.edu/
>
> Thanks.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
