[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open
From: Xingyuan Mo <hdthky0 () gmail ! com>
Date: 2022-12-14 8:31:25
Message-ID: Y5mJ3dLcB49yYsDo () ip-172-31-85-199 ! ec2 ! internal
[Download RAW message or body]
Hello,
We found a use-after-free vulnerability in __nfs42_ssc_open() in NFS subsystem
of Linux through v6.1 which allows an attacker to trigger remote denial of
service.
=*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=
The use-after-free violation is caused by dereferencing a vfsmount which is
freed but still remains on the delayed unmount list. The reason the vfsmount is
freed is that nfs42_ssc_open returns an error when called in
nfsd4_do_async_copy. During my testing, this bug can be triggered by two
consecutive inter-server-side copies, if the first one encounters some kind of
error.
=*=*=*=*=*=*=*=*= Backtrace =*=*=*=*=*=*=*=*=
[ 150.198088 ] ==================================================================
[ 150.199766 ] BUG: KASAN: use-after-free in __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[ 150.201108 ] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375
[ 150.203035 ]
[ 150.203392 ] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20
[ 150.204790 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 \
04/04 [ 150.206709 ] Call Trace:
[ 150.207271 ] <TASK>
[ 150.207740 ] dump_stack_lvl (lib/dump_stack.c:107)
[ 150.208562 ] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
[ 150.209385 ] ? __virt_addr_valid (./include/linux/mmzone.h:1759 \
./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65) [ 150.210296 ] ? __nfs42_ssc_open \
(fs/nfs/nfs4file.c:332) [ 150.211184 ] kasan_report (mm/kasan/report.c:162 \
mm/kasan/report.c:497) [ 150.211967 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[ 150.212742 ] __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[ 150.213343 ] ? _raw_read_lock_bh (kernel/locking/spinlock.c:161)
[ 150.213935 ] nfsd4_do_async_copy (./include/linux/nfs_ssc.h:47 fs/nfsd/nfs4proc.c:1764)
[ 150.214520 ] ? preempt_count_sub (kernel/sched/core.c:5697)
[ 150.215133 ] ? __kthread_parkme (kernel/kthread.c:283)
[ 150.215769 ] ? nfsd4_read (fs/nfsd/nfs4proc.c:1757)
[ 150.216349 ] kthread (kernel/kthread.c:376)
[ 150.216873 ] ? kthread_complete_and_exit (kernel/kthread.c:331)
[ 150.217630 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[ 150.218206 ] </TASK>
[ 150.218551 ]
[ 150.218803 ] Allocated by task 350:
[ 150.219348 ] kasan_save_stack (mm/kasan/common.c:46)
[ 150.219938 ] kasan_set_track (mm/kasan/common.c:52)
[ 150.220522 ] __kasan_slab_alloc (mm/kasan/common.c:328)
[ 150.221148 ] kmem_cache_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 \
mm/slub.c:3406 mm/slub.c:3413 mm/slub.c:3422) [ 150.221786 ] alloc_vfsmnt \
(./include/linux/slab.h:679 fs/namespace.c:198) [ 150.222348 ] vfs_create_mount \
(fs/namespace.c:1017) [ 150.222919 ] vfs_kern_mount.part.48 (fs/namespace.c:1073)
[ 150.223376 ] nfsd4_interssc_connect.isra.24 (fs/nfsd/nfs4proc.c:1443)
[ 150.223915 ] nfsd4_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805)
[ 150.224249 ] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2710)
[ 150.224647 ] nfsd_dispatch (fs/nfsd/nfssvc.c:1056)
[ 150.225000 ] svc_process_common (net/sunrpc/svc.c:1339)
[ 150.225403 ] svc_process (net/sunrpc/svc.c:1463)
[ 150.225735 ] nfsd (fs/nfsd/nfssvc.c:979)
[ 150.226022 ] kthread (kernel/kthread.c:376)
[ 150.226330 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[ 150.226662 ]
[ 150.226810 ] Freed by task 0:
[ 150.227072 ] kasan_save_stack (mm/kasan/common.c:46)
[ 150.227417 ] kasan_set_track (mm/kasan/common.c:52)
[ 150.227765 ] kasan_save_free_info (mm/kasan/generic.c:513)
[ 150.228134 ] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 \
mm/kasan/common.c:244) [ 150.228497 ] kmem_cache_free (mm/slub.c:1750 mm/slub.c:3661 \
mm/slub.c:3683) [ 150.228842 ] rcu_core (./arch/x86/include/asm/preempt.h:27 \
kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510) [ 150.229144 ] __do_softirq \
(./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 \
./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 150.229483 ]
[ 150.229636 ] Last potentially related work creation:
[ 150.230102 ] kasan_save_stack (mm/kasan/common.c:46)
[ 150.230470 ] __kasan_record_aux_stack (mm/kasan/generic.c:481)
[ 150.230901 ] call_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) \
./arch/x86/include/asm/irqflags.h:70 (discriminator 3) ./arch/x86/include/asm/irqflags.h:106 \
(discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3)) [ 150.231214 ] mntput_no_expire \
(fs/namespace.c:1272) [ 150.231586 ] nfsd4_do_async_copy (./include/linux/slab.h:553 \
./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 fs/nfsd/nfs4proc.c:1787) [ 150.231980 ] \
kthread (kernel/kthread.c:376) [ 150.232295 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[ 150.232637 ]
[ 150.232792 ] The buggy address belongs to the object at ffff888008bbc480
[ 150.232792 ] which belongs to the cache mnt_cache of size 320
[ 150.233849 ] The buggy address is located 40 bytes inside of
[ 150.233849 ] 320-byte region [ffff888008bbc480, ffff888008bbc5c0)
[ 150.234828 ]
[ 150.234970 ] The buggy address belongs to the physical page:
[ 150.235442 ] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 \
pfnc [ 150.236154 ] head:00000000711edc3f order:1 compound_mapcount:0 compound_pincount:0
[ 150.236724 ] flags: 0x100000000010200(slab|head|node=0|zone=1)
[ 150.237193 ] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0
[ 150.237784 ] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[ 150.238367 ] page dumped because: kasan: bad access detected
[ 150.238804 ]
[ 150.238934 ] Memory state around the buggy address:
[ 150.239304 ] ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 150.239868 ] ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 150.240420 ] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 150.240967 ] ^
[ 150.241333 ] ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 150.241885 ] ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 150.242431 ] ==================================================================
=*=*=*=*=*=*=*=*= Patch =*=*=*=*=*=*=*=*=
The patch has been done by Dai Ngo, and it can be found here:
https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo@oracle.com/
=*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*=
Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd.
Best Regards,
Xingyuan Mo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic