[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel vers
From: Minh Yuan <yuanmingbuaa () gmail ! com>
Date: 2022-05-10 16:38:51
Message-ID: CAH5WSp4ZArJaWpdDQpX8vvvYmJTD1yiWpOVVY6R2ZKHgTPU8Ow () mail ! gmail ! com
[Download RAW message or body]
By the way, this race issue has been assigned CVE-2022-1652 by Red Hat.
Minh Yuan <yuanmingbuaa@gmail.com> 于2022年5月10日周二 14:59写道:
> Hi everyone,
>
> My fuzzer discovered another concurrency uaf between reset_interrupt and
> floppy_end_request in the latest kernel version (5.17.5 for now).
>
> The root cause is that after deallocating current_req in
> floppy_end_request, reset_interrupt still holds the freed
> current_req->error_count and accesses it concurrently.
>
> Here is the KASAN report:
>
> BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460
>
> Call Trace:
> __dump_stack
> dump_stack+0x1e9/0x30e
> print_address_description+0x6a/0x310
> kasan_report_error
> kasan_report+0x1bf/0x290
> bad_flp_intr+0x332/0x460
> reset_interrupt+0x16e/0x1b0
> process_one_work+0xc61/0x1530
> worker_thread+0xa7f/0x1440
> kthread+0x346/0x370
> ret_from_fork+0x24/0x30
>
> Allocated by task 12590:
> kmem_cache_alloc_node+0x200/0x390
> alloc_request_simple+0x42/0x70
> mempool_alloc+0x166/0x6b0
> __get_request+0x92c/0x1c50
> get_request+0x756/0x10e0
> blk_queue_bio+0x523/0x12d0
> audit: type=1804 audit(1651287706.088:1517): pid=13750 uid=0 auid=0 ses=6
> subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2"
> name=2F73797A6B616C6C65722D746573746469723539363038303737352F73797A6B616C6C65722E6C56656931332F313737362F48C7C060
> dev="sda" ino=136083 res=1
> generic_make_request+0x561/0xe20
> submit_bio+0x259/0x560
> audit: type=1800 audit(1651287706.088:1518): pid=13752 uid=0 auid=0 ses=6
> subj==unconfined op=collect_data cause=failed(directio)
> comm="syz-executor.2" name=48C7C060 dev="sda" ino=136083 res=0
> __floppy_read_block_0
> floppy_revalidate+0xa70/0xd90
> check_disk_change+0x11e/0x1a0
> floppy_open+0x54d/0x890
> __blkdev_get+0x3ce/0x1ab0
> blkdev_get+0x986/0xb20
> do_dentry_open+0x91d/0x10a0
> do_last
> path_openat+0x298d/0x6de0
> do_filp_open+0x24a/0x4c0
> do_sys_open+0x361/0x5d0
> do_syscall_64+0x111/0x710
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 2856:
> __cache_free
> kmem_cache_free+0xc8/0x260
> blk_free_request
> __blk_put_request+0x4d8/0xcd0
> __blk_end_bidi_request+0x1d4/0x260
> floppy_end_request
> request_done+0x701/0x950
> floppy_shutdown+0x14a/0x2b0
> process_one_work+0xc61/0x1530
> worker_thread+0xa7f/0x1440
> kthread+0x346/0x370
> ret_from_fork+0x24/0x30
>
>
>
> Timeline:
> * 04.30.22 - Vulnerability reported to security@kernel.org.
> * 05.01.22 - Vulnerability reported to linux-distros@vs.openwall.org.
> * 05.10.22 - Vulnerability opened.
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic