Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH5WSp4X9ZRsgV_NWt8tT1OGxa45MrKDTOikHtnkc78XO5MaxA@mail.gmail.com>
Date: Thu, 28 Apr 2022 11:19:46 +0800
From: Minh Yuan <yuanmingbuaa@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: A concurrency use-after-free in floppy's raw_cmd

Hi,

We recently discovered a concurrency uaf between raw_cmd_ioctl and
seek_interrupt in the latest kernel version (5.17.4 for now).

The root cause is that after deallocating raw_cmd in raw_cmd_ioctl,
seek_interrupt still holds the freed raw_cmd and accesses it in
floppy_ready or start_motor concurrently.

PoC (generated by syzkaller) is in the attachment, and here is the KASAN
report:

BUG: KASAN: use-after-free in start_motor+0x31b/0x3f0
drivers/block/floppy.c:1908

Read of size 4 at addr ffff888127331c00 by task kworker/u16:9/15911

CPU: 5 PID: 15911 Comm: kworker/u16:9 Not tainted 5.16.2 #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: floppy floppy_work_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 start_motor+0x31b/0x3f0 drivers/block/floppy.c:1908
 floppy_ready+0x83/0x1850 drivers/block/floppy.c:1935
 seek_interrupt+0x326/0x420 drivers/block/floppy.c:1567
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2317
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2465
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 22033:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:590 [inline]
 raw_cmd_copyin drivers/block/floppy.c:3100 [inline]
 raw_cmd_ioctl drivers/block/floppy.c:3167 [inline]
 fd_locked_ioctl+0x100e/0x2820 drivers/block/floppy.c:3535
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3562
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:609
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 22033:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
 slab_free mm/slub.c:3513 [inline]
 kfree+0xf6/0x560 mm/slub.c:4561
 raw_cmd_free+0x8a/0x1c0 drivers/block/floppy.c:3086
 raw_cmd_ioctl drivers/block/floppy.c:3187 [inline]
 fd_locked_ioctl+0x206d/0x2820 drivers/block/floppy.c:3535
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3562
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:609
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae


The new patch can been seen at
https://github.com/torvalds/linux/commit/233087ca063686964a53c829d547c7571e3f67bf
.

Regards,

Yuan Ming from Tsinghua University

Content of type "text/html" skipped

Download attachment "floppy_poc.c" of type "application/octet-stream" (7139 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.