'Re: [oss-security] Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel vers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel vers
From:       Minh Yuan <yuanmingbuaa () gmail ! com>
Date:       2022-05-10 16:38:51
Message-ID: CAH5WSp4ZArJaWpdDQpX8vvvYmJTD1yiWpOVVY6R2ZKHgTPU8Ow () mail ! gmail ! com
[Download RAW message or body]


By the way, this race issue has been assigned CVE-2022-1652 by Red Hat.

Minh Yuan <yuanmingbuaa@gmail.com> 于2022年5月10日周二 14:59写道：

> Hi everyone,
>
> My fuzzer discovered another concurrency uaf between reset_interrupt and
> floppy_end_request in the latest kernel version (5.17.5 for now).
>
> The root cause is that after deallocating current_req in
> floppy_end_request, reset_interrupt still holds the freed
> current_req->error_count and accesses it concurrently.
>
> Here is the KASAN report:
>
> BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460
>
> Call Trace:
>  __dump_stack
>  dump_stack+0x1e9/0x30e
>  print_address_description+0x6a/0x310
>  kasan_report_error
>  kasan_report+0x1bf/0x290
>  bad_flp_intr+0x332/0x460
>  reset_interrupt+0x16e/0x1b0
>  process_one_work+0xc61/0x1530
>  worker_thread+0xa7f/0x1440
>  kthread+0x346/0x370
>  ret_from_fork+0x24/0x30
>
> Allocated by task 12590:
>  kmem_cache_alloc_node+0x200/0x390
>  alloc_request_simple+0x42/0x70
>  mempool_alloc+0x166/0x6b0
>  __get_request+0x92c/0x1c50
>  get_request+0x756/0x10e0
>  blk_queue_bio+0x523/0x12d0
> audit: type=1804 audit(1651287706.088:1517): pid=13750 uid=0 auid=0 ses=6
> subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2"
> name=2F73797A6B616C6C65722D746573746469723539363038303737352F73797A6B616C6C65722E6C56656931332F313737362F48C7C060
> dev="sda" ino=136083 res=1
>  generic_make_request+0x561/0xe20
>  submit_bio+0x259/0x560
> audit: type=1800 audit(1651287706.088:1518): pid=13752 uid=0 auid=0 ses=6
> subj==unconfined op=collect_data cause=failed(directio)
> comm="syz-executor.2" name=48C7C060 dev="sda" ino=136083 res=0
>  __floppy_read_block_0
>  floppy_revalidate+0xa70/0xd90
>  check_disk_change+0x11e/0x1a0
>  floppy_open+0x54d/0x890
>  __blkdev_get+0x3ce/0x1ab0
>  blkdev_get+0x986/0xb20
>  do_dentry_open+0x91d/0x10a0
>  do_last
>  path_openat+0x298d/0x6de0
>  do_filp_open+0x24a/0x4c0
>  do_sys_open+0x361/0x5d0
>  do_syscall_64+0x111/0x710
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 2856:
>  __cache_free
>  kmem_cache_free+0xc8/0x260
>  blk_free_request
>  __blk_put_request+0x4d8/0xcd0
>  __blk_end_bidi_request+0x1d4/0x260
>  floppy_end_request
>  request_done+0x701/0x950
>  floppy_shutdown+0x14a/0x2b0
>  process_one_work+0xc61/0x1530
>  worker_thread+0xa7f/0x1440
>  kthread+0x346/0x370
>  ret_from_fork+0x24/0x30
>
>
>
> Timeline:
> * 04.30.22 - Vulnerability reported to security@kernel.org.
> * 05.01.22 - Vulnerability reported to linux-distros@vs.openwall.org.
> * 05.10.22 - Vulnerability opened.
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic