Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH5WSp5rKR6gaKDAG58nKAiOf4fkzTz-faSFCrX4mo7RNoigFQ@mail.gmail.com>
Date: Tue, 10 May 2022 14:59:15 +0800
From: Minh Yuan <yuanmingbuaa@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version

Hi everyone,

My fuzzer discovered another concurrency uaf between reset_interrupt and
floppy_end_request in the latest kernel version (5.17.5 for now).

The root cause is that after deallocating current_req in floppy_end_request,
reset_interrupt still holds the freed current_req->error_count and accesses
it concurrently.

Here is the KASAN report:

BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460

Call Trace:
 __dump_stack
 dump_stack+0x1e9/0x30e
 print_address_description+0x6a/0x310
 kasan_report_error
 kasan_report+0x1bf/0x290
 bad_flp_intr+0x332/0x460
 reset_interrupt+0x16e/0x1b0
 process_one_work+0xc61/0x1530
 worker_thread+0xa7f/0x1440
 kthread+0x346/0x370
 ret_from_fork+0x24/0x30

Allocated by task 12590:
 kmem_cache_alloc_node+0x200/0x390
 alloc_request_simple+0x42/0x70
 mempool_alloc+0x166/0x6b0
 __get_request+0x92c/0x1c50
 get_request+0x756/0x10e0
 blk_queue_bio+0x523/0x12d0
audit: type=1804 audit(1651287706.088:1517): pid=13750 uid=0 auid=0 ses=6
subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2"
name=2F73797A6B616C6C65722D746573746469723539363038303737352F73797A6B616C6C65722E6C56656931332F313737362F48C7C060
dev="sda" ino=136083 res=1
 generic_make_request+0x561/0xe20
 submit_bio+0x259/0x560
audit: type=1800 audit(1651287706.088:1518): pid=13752 uid=0 auid=0 ses=6
subj==unconfined op=collect_data cause=failed(directio)
comm="syz-executor.2" name=48C7C060 dev="sda" ino=136083 res=0
 __floppy_read_block_0
 floppy_revalidate+0xa70/0xd90
 check_disk_change+0x11e/0x1a0
 floppy_open+0x54d/0x890
 __blkdev_get+0x3ce/0x1ab0
 blkdev_get+0x986/0xb20
 do_dentry_open+0x91d/0x10a0
 do_last
 path_openat+0x298d/0x6de0
 do_filp_open+0x24a/0x4c0
 do_sys_open+0x361/0x5d0
 do_syscall_64+0x111/0x710
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2856:
 __cache_free
 kmem_cache_free+0xc8/0x260
 blk_free_request
 __blk_put_request+0x4d8/0xcd0
 __blk_end_bidi_request+0x1d4/0x260
 floppy_end_request
 request_done+0x701/0x950
 floppy_shutdown+0x14a/0x2b0
 process_one_work+0xc61/0x1530
 worker_thread+0xa7f/0x1440
 kthread+0x346/0x370
 ret_from_fork+0x24/0x30



Timeline:
* 04.30.22 - Vulnerability reported to security@...nel.org.
* 05.01.22 - Vulnerability reported to linux-distros@...openwall.org.
* 05.10.22 - Vulnerability opened.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.