'[oss-security] CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open
From:       Xingyuan Mo <hdthky0 () gmail ! com>
Date:       2022-12-14 8:31:25
Message-ID: Y5mJ3dLcB49yYsDo () ip-172-31-85-199 ! ec2 ! internal
[Download RAW message or body]

Hello,

We found a use-after-free vulnerability in __nfs42_ssc_open() in NFS subsystem
of Linux through v6.1 which allows an attacker to trigger remote denial of
service.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

The use-after-free violation is caused by dereferencing a vfsmount which is
freed but still remains on the delayed unmount list. The reason the vfsmount is
freed is that nfs42_ssc_open returns an error when called in
nfsd4_do_async_copy. During my testing, this bug can be triggered by two
consecutive inter-server-side copies, if the first one encounters some kind of
error.

=*=*=*=*=*=*=*=*=  Backtrace  =*=*=*=*=*=*=*=*=

[  150.198088 ] ==================================================================
[  150.199766 ] BUG: KASAN: use-after-free in __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.201108 ] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375
[  150.203035 ]
[  150.203392 ] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20
[  150.204790 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 \
04/04 [  150.206709 ] Call Trace:
[  150.207271 ]  <TASK>
[  150.207740 ] dump_stack_lvl (lib/dump_stack.c:107)
[  150.208562 ] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
[  150.209385 ] ? __virt_addr_valid (./include/linux/mmzone.h:1759 \
./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65) [  150.210296 ] ? __nfs42_ssc_open \
(fs/nfs/nfs4file.c:332) [  150.211184 ] kasan_report (mm/kasan/report.c:162 \
mm/kasan/report.c:497) [  150.211967 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.212742 ] __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.213343 ] ? _raw_read_lock_bh (kernel/locking/spinlock.c:161)
[  150.213935 ] nfsd4_do_async_copy (./include/linux/nfs_ssc.h:47 fs/nfsd/nfs4proc.c:1764)
[  150.214520 ] ? preempt_count_sub (kernel/sched/core.c:5697)
[  150.215133 ] ? __kthread_parkme (kernel/kthread.c:283)
[  150.215769 ] ? nfsd4_read (fs/nfsd/nfs4proc.c:1757)
[  150.216349 ] kthread (kernel/kthread.c:376)
[  150.216873 ] ? kthread_complete_and_exit (kernel/kthread.c:331)
[  150.217630 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.218206 ]  </TASK>
[  150.218551 ]
[  150.218803 ] Allocated by task 350:
[  150.219348 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.219938 ] kasan_set_track (mm/kasan/common.c:52)
[  150.220522 ] __kasan_slab_alloc (mm/kasan/common.c:328)
[  150.221148 ] kmem_cache_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 \
mm/slub.c:3406 mm/slub.c:3413 mm/slub.c:3422) [  150.221786 ] alloc_vfsmnt \
(./include/linux/slab.h:679 fs/namespace.c:198) [  150.222348 ] vfs_create_mount \
(fs/namespace.c:1017) [  150.222919 ] vfs_kern_mount.part.48 (fs/namespace.c:1073)
[  150.223376 ] nfsd4_interssc_connect.isra.24 (fs/nfsd/nfs4proc.c:1443)
[  150.223915 ] nfsd4_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805)
[  150.224249 ] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2710)
[  150.224647 ] nfsd_dispatch (fs/nfsd/nfssvc.c:1056)
[  150.225000 ] svc_process_common (net/sunrpc/svc.c:1339)
[  150.225403 ] svc_process (net/sunrpc/svc.c:1463)
[  150.225735 ] nfsd (fs/nfsd/nfssvc.c:979)
[  150.226022 ] kthread (kernel/kthread.c:376)
[  150.226330 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.226662 ]
[  150.226810 ] Freed by task 0:
[  150.227072 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.227417 ] kasan_set_track (mm/kasan/common.c:52)
[  150.227765 ] kasan_save_free_info (mm/kasan/generic.c:513)
[  150.228134 ] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 \
mm/kasan/common.c:244) [  150.228497 ] kmem_cache_free (mm/slub.c:1750 mm/slub.c:3661 \
mm/slub.c:3683) [  150.228842 ] rcu_core (./arch/x86/include/asm/preempt.h:27 \
kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510) [  150.229144 ] __do_softirq \
(./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 \
./include/trace/events/irq.h:142 kernel/softirq.c:572) [  150.229483 ]
[  150.229636 ] Last potentially related work creation:
[  150.230102 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.230470 ] __kasan_record_aux_stack (mm/kasan/generic.c:481)
[  150.230901 ] call_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) \
./arch/x86/include/asm/irqflags.h:70 (discriminator 3) ./arch/x86/include/asm/irqflags.h:106 \
(discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3)) [  150.231214 ] mntput_no_expire \
(fs/namespace.c:1272) [  150.231586 ] nfsd4_do_async_copy (./include/linux/slab.h:553 \
./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 fs/nfsd/nfs4proc.c:1787) [  150.231980 ] \
kthread (kernel/kthread.c:376) [  150.232295 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.232637 ]
[  150.232792 ] The buggy address belongs to the object at ffff888008bbc480
[  150.232792 ]  which belongs to the cache mnt_cache of size 320
[  150.233849 ] The buggy address is located 40 bytes inside of
[  150.233849 ]  320-byte region [ffff888008bbc480, ffff888008bbc5c0)
[  150.234828 ]
[  150.234970 ] The buggy address belongs to the physical page:
[  150.235442 ] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 \
pfnc [  150.236154 ] head:00000000711edc3f order:1 compound_mapcount:0 compound_pincount:0
[  150.236724 ] flags: 0x100000000010200(slab|head|node=0|zone=1)
[  150.237193 ] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0
[  150.237784 ] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[  150.238367 ] page dumped because: kasan: bad access detected
[  150.238804 ]
[  150.238934 ] Memory state around the buggy address:
[  150.239304 ]  ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.239868 ]  ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  150.240420 ] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.240967 ]                                   ^
[  150.241333 ]  ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.241885 ]  ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  150.242431 ] ==================================================================

=*=*=*=*=*=*=*=*=  Patch  =*=*=*=*=*=*=*=*=

The patch has been done by Dai Ngo, and it can be found here:
https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo@oracle.com/

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd.


Best Regards,
Xingyuan Mo


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic