[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO3qeMXKb7vad9opV7B1oSsHbJ8D4jTpQaF2CwF=J1vVdcSe8g@mail.gmail.com>
Date: Tue, 14 Jun 2022 09:07:55 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1976: Linux Kernel: A use-after-free in __lock_acquire
Hi all,
=*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*=
The old inflight tracking for any file type that has io_uring_fops needs to
be assigned, otherwise
trivial circular references never get the ctx cleaned up and hence it'll
leak.
This issue was reported on May 31 and assigned CVE-2022-1976.
C repro is attached.
=*=*=*=*=*=*=*=*= BACKTRACE =*=*=*=*=*=*=*=*=
BUG: KASAN: use-after-free in __lock_acquire+0x385f/0x5840
root/opt/kernel/kernel/locking/lockdep.c:4899
Read of size 8 at addr ffff8880682db3b8 by task kworker/1:9/9642
CPU: 1 PID: 9642 Comm: kworker/1:9 Not tainted 5.18.0 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events io_fallback_req_func
Call Trace:
<TASK>
__dump_stack root/opt/kernel/lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 root/opt/kernel/lib/dump_stack.c:106
print_address_description root/opt/kernel/mm/kasan/report.c:313 [inline]
print_report.cold+0xe5/0x659 root/opt/kernel/mm/kasan/report.c:429
kasan_report+0x8a/0x1b0 root/opt/kernel/mm/kasan/report.c:491
__lock_acquire+0x385f/0x5840 root/opt/kernel/kernel/locking/lockdep.c:4899
lock_acquire root/opt/kernel/kernel/locking/lockdep.c:5641 [inline]
lock_acquire+0x1ab/0x520 root/opt/kernel/kernel/locking/lockdep.c:5606
__raw_spin_lock_irq root/opt/kernel/./include/linux/spinlock_api_smp.h:119
[inline]
_raw_spin_lock_irq+0x32/0x50 root/opt/kernel/kernel/locking/spinlock.c:170
spin_lock_irq root/opt/kernel/./include/linux/spinlock.h:374 [inline]
io_poll_remove_entry root/opt/kernel/fs/io_uring.c:6840 [inline]
io_poll_remove_entries.part.0+0x15f/0x7d0
root/opt/kernel/fs/io_uring.c:6873
io_poll_remove_entries root/opt/kernel/fs/io_uring.c:6853 [inline]
io_poll_task_func+0x187/0x500 root/opt/kernel/fs/io_uring.c:6971
io_fallback_req_func+0xfa/0x1b0 root/opt/kernel/fs/io_uring.c:1824
process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302
</TASK>
Allocated by task 11840:
kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
kasan_set_track root/opt/kernel/mm/kasan/common.c:45 [inline]
set_alloc_info root/opt/kernel/mm/kasan/common.c:436 [inline]
____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:515 [inline]
____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 root/opt/kernel/mm/kasan/common.c:524
kasan_kmalloc root/opt/kernel/./include/linux/kasan.h:234 [inline]
__kmalloc+0x1c9/0x4c0 root/opt/kernel/mm/slub.c:4414
io_ring_ctx_alloc root/opt/kernel/fs/io_uring.c:1838 [inline]
io_uring_create root/opt/kernel/fs/io_uring.c:12396 [inline]
io_uring_setup.cold+0x176/0x2a59 root/opt/kernel/fs/io_uring.c:12535
do_syscall_x64 root/opt/kernel/arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 root/opt/kernel/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 787:
kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
kasan_set_track+0x21/0x30 root/opt/kernel/mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 root/opt/kernel/mm/kasan/generic.c:370
____kasan_slab_free root/opt/kernel/mm/kasan/common.c:366 [inline]
____kasan_slab_free root/opt/kernel/mm/kasan/common.c:328 [inline]
__kasan_slab_free+0x11d/0x190 root/opt/kernel/mm/kasan/common.c:374
kasan_slab_free root/opt/kernel/./include/linux/kasan.h:200 [inline]
slab_free_hook root/opt/kernel/mm/slub.c:1728 [inline]
slab_free_freelist_hook root/opt/kernel/mm/slub.c:1754 [inline]
slab_free root/opt/kernel/mm/slub.c:3510 [inline]
kfree+0xec/0x4b0 root/opt/kernel/mm/slub.c:4552
io_ring_ctx_free root/opt/kernel/fs/io_uring.c:11159 [inline]
io_ring_exit_work+0xefb/0xf43 root/opt/kernel/fs/io_uring.c:11303
process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 root/opt/kernel/mm/kasan/generic.c:348
insert_work+0x4a/0x390 root/opt/kernel/kernel/workqueue.c:1358
__queue_work+0x4dd/0x1140 root/opt/kernel/kernel/workqueue.c:1517
queue_work_on+0xee/0x110 root/opt/kernel/kernel/workqueue.c:1545
queue_work root/opt/kernel/./include/linux/workqueue.h:502 [inline]
io_ring_ctx_wait_and_kill+0x2b6/0x2ec root/opt/kernel/fs/io_uring.c:11357
io_uring_release+0x42/0x46 root/opt/kernel/fs/io_uring.c:11365
__fput+0x277/0x9d0 root/opt/kernel/fs/file_table.c:317
task_work_run+0xe0/0x1a0 root/opt/kernel/kernel/task_work.c:177
exit_task_work root/opt/kernel/./include/linux/task_work.h:38 [inline]
do_exit+0xb16/0x2dc0 root/opt/kernel/kernel/exit.c:795
do_group_exit+0xd2/0x2f0 root/opt/kernel/kernel/exit.c:925
get_signal+0x2847/0x2880 root/opt/kernel/kernel/signal.c:2864
arch_do_signal_or_restart+0x81/0x1e30
root/opt/kernel/arch/x86/kernel/signal.c:869
exit_to_user_mode_loop root/opt/kernel/kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x174/0x260
root/opt/kernel/kernel/entry/common.c:201
__syscall_exit_to_user_mode_work root/opt/kernel/kernel/entry/common.c:283
[inline]
syscall_exit_to_user_mode+0x19/0x60
root/opt/kernel/kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 root/opt/kernel/arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff8880682db000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 952 bytes inside of
2048-byte region [ffff8880682db000, ffff8880682db800)
The buggy address belongs to the physical page:
page:ffffea0001a0b600 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x682d8
head:ffffea0001a0b600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffffea00019e8e00 dead000000000002 ffff888010c42000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
pid 6529, tgid 6529 (syz-executor.2), ts 33495069085, free_ts 0
set_page_owner root/opt/kernel/./include/linux/page_owner.h:31 [inline]
post_alloc_hook root/opt/kernel/mm/page_alloc.c:2434 [inline]
prep_new_page+0x297/0x330 root/opt/kernel/mm/page_alloc.c:2441
get_page_from_freelist+0x210e/0x3ab0 root/opt/kernel/mm/page_alloc.c:4182
__alloc_pages+0x30c/0x6e0 root/opt/kernel/mm/page_alloc.c:5408
alloc_pages+0x119/0x250 root/opt/kernel/mm/mempolicy.c:2272
alloc_slab_page root/opt/kernel/mm/slub.c:1799 [inline]
allocate_slab root/opt/kernel/mm/slub.c:1944 [inline]
new_slab+0x2a9/0x3f0 root/opt/kernel/mm/slub.c:2004
___slab_alloc+0xc62/0x1080 root/opt/kernel/mm/slub.c:3005
__slab_alloc.isra.0+0x4d/0xa0 root/opt/kernel/mm/slub.c:3092
slab_alloc_node root/opt/kernel/mm/slub.c:3183 [inline]
slab_alloc root/opt/kernel/mm/slub.c:3225 [inline]
kmem_cache_alloc_trace+0x383/0x460 root/opt/kernel/mm/slub.c:3256
kmalloc root/opt/kernel/./include/linux/slab.h:581 [inline]
kzalloc root/opt/kernel/./include/linux/slab.h:714 [inline]
ipv6_add_dev root/opt/kernel/net/ipv6/addrconf.c:378 [inline]
ipv6_add_dev+0xfe/0x12d0 root/opt/kernel/net/ipv6/addrconf.c:368
addrconf_notify+0x614/0x1bb0 root/opt/kernel/net/ipv6/addrconf.c:3521
notifier_call_chain+0xb5/0x200 root/opt/kernel/kernel/notifier.c:84
call_netdevice_notifiers_info root/opt/kernel/net/core/dev.c:1938 [inline]
call_netdevice_notifiers_info+0xb5/0x130
root/opt/kernel/net/core/dev.c:1923
call_netdevice_notifiers_extack root/opt/kernel/net/core/dev.c:1976
[inline]
call_netdevice_notifiers root/opt/kernel/net/core/dev.c:1990 [inline]
register_netdevice+0xeb5/0x12b0 root/opt/kernel/net/core/dev.c:9994
veth_newlink+0x405/0xa90 root/opt/kernel/drivers/net/veth.c:1764
__rtnl_newlink+0xf52/0x1600 root/opt/kernel/net/core/rtnetlink.c:3483
rtnl_newlink+0x64/0xa0 root/opt/kernel/net/core/rtnetlink.c:3531
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880682db280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880682db300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880682db380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880682db400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880682db480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
=*=*=*=*=*=*=*=*= PATCH =*=*=*=*=*=*=*=*=
The patch has been merged into the Linux kernel mainline and stable-master
tree.
It can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7
=*=*=*=*=*=*=*=*= CREDIT =*=*=*=*=*=*=*=*=
Zhixin Li from Zero-one Security <sundaywind2004@...il.com>
Thanks.
Content of type "text/html" skipped
View attachment "repro.c" of type "text/x-c-code" (12613 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
