Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Y5mJ3dLcB49yYsDo@ip-172-31-85-199.ec2.internal>
Date: Wed, 14 Dec 2022 16:31:25 +0800
From: Xingyuan Mo <hdthky0@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open

Hello,

We found a use-after-free vulnerability in __nfs42_ssc_open() in NFS subsystem
of Linux through v6.1 which allows an attacker to trigger remote denial of
service.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

The use-after-free violation is caused by dereferencing a vfsmount which is
freed but still remains on the delayed unmount list. The reason the vfsmount is
freed is that nfs42_ssc_open returns an error when called in
nfsd4_do_async_copy. During my testing, this bug can be triggered by two
consecutive inter-server-side copies, if the first one encounters some kind of
error.

=*=*=*=*=*=*=*=*=  Backtrace  =*=*=*=*=*=*=*=*=

[  150.198088 ] ==================================================================
[  150.199766 ] BUG: KASAN: use-after-free in __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.201108 ] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375
[  150.203035 ]
[  150.203392 ] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20
[  150.204790 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/04
[  150.206709 ] Call Trace:
[  150.207271 ]  <TASK>
[  150.207740 ] dump_stack_lvl (lib/dump_stack.c:107)
[  150.208562 ] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395)
[  150.209385 ] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65)
[  150.210296 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.211184 ] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
[  150.211967 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.212742 ] __nfs42_ssc_open (fs/nfs/nfs4file.c:332)
[  150.213343 ] ? _raw_read_lock_bh (kernel/locking/spinlock.c:161)
[  150.213935 ] nfsd4_do_async_copy (./include/linux/nfs_ssc.h:47 fs/nfsd/nfs4proc.c:1764)
[  150.214520 ] ? preempt_count_sub (kernel/sched/core.c:5697)
[  150.215133 ] ? __kthread_parkme (kernel/kthread.c:283)
[  150.215769 ] ? nfsd4_read (fs/nfsd/nfs4proc.c:1757)
[  150.216349 ] kthread (kernel/kthread.c:376)
[  150.216873 ] ? kthread_complete_and_exit (kernel/kthread.c:331)
[  150.217630 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.218206 ]  </TASK>
[  150.218551 ]
[  150.218803 ] Allocated by task 350:
[  150.219348 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.219938 ] kasan_set_track (mm/kasan/common.c:52)
[  150.220522 ] __kasan_slab_alloc (mm/kasan/common.c:328)
[  150.221148 ] kmem_cache_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 mm/slub.c:3406 mm/slub.c:3413 mm/slub.c:3422)
[  150.221786 ] alloc_vfsmnt (./include/linux/slab.h:679 fs/namespace.c:198)
[  150.222348 ] vfs_create_mount (fs/namespace.c:1017)
[  150.222919 ] vfs_kern_mount.part.48 (fs/namespace.c:1073)
[  150.223376 ] nfsd4_interssc_connect.isra.24 (fs/nfsd/nfs4proc.c:1443)
[  150.223915 ] nfsd4_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805)
[  150.224249 ] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2710)
[  150.224647 ] nfsd_dispatch (fs/nfsd/nfssvc.c:1056)
[  150.225000 ] svc_process_common (net/sunrpc/svc.c:1339)
[  150.225403 ] svc_process (net/sunrpc/svc.c:1463)
[  150.225735 ] nfsd (fs/nfsd/nfssvc.c:979)
[  150.226022 ] kthread (kernel/kthread.c:376)
[  150.226330 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.226662 ]
[  150.226810 ] Freed by task 0:
[  150.227072 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.227417 ] kasan_set_track (mm/kasan/common.c:52)
[  150.227765 ] kasan_save_free_info (mm/kasan/generic.c:513)
[  150.228134 ] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
[  150.228497 ] kmem_cache_free (mm/slub.c:1750 mm/slub.c:3661 mm/slub.c:3683)
[  150.228842 ] rcu_core (./arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510)
[  150.229144 ] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)
[  150.229483 ]
[  150.229636 ] Last potentially related work creation:
[  150.230102 ] kasan_save_stack (mm/kasan/common.c:46)
[  150.230470 ] __kasan_record_aux_stack (mm/kasan/generic.c:481)
[  150.230901 ] call_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) ./arch/x86/include/asm/irqflags.h:70 (discriminator 3) ./arch/x86/include/asm/irqflags.h:106 (discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3))
[  150.231214 ] mntput_no_expire (fs/namespace.c:1272)
[  150.231586 ] nfsd4_do_async_copy (./include/linux/slab.h:553 ./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 fs/nfsd/nfs4proc.c:1787)
[  150.231980 ] kthread (kernel/kthread.c:376)
[  150.232295 ] ret_from_fork (arch/x86/entry/entry_64.S:312)
[  150.232637 ]
[  150.232792 ] The buggy address belongs to the object at ffff888008bbc480
[  150.232792 ]  which belongs to the cache mnt_cache of size 320
[  150.233849 ] The buggy address is located 40 bytes inside of
[  150.233849 ]  320-byte region [ffff888008bbc480, ffff888008bbc5c0)
[  150.234828 ]
[  150.234970 ] The buggy address belongs to the physical page:
[  150.235442 ] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfnc
[  150.236154 ] head:00000000711edc3f order:1 compound_mapcount:0 compound_pincount:0
[  150.236724 ] flags: 0x100000000010200(slab|head|node=0|zone=1)
[  150.237193 ] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0
[  150.237784 ] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[  150.238367 ] page dumped because: kasan: bad access detected
[  150.238804 ]
[  150.238934 ] Memory state around the buggy address:
[  150.239304 ]  ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.239868 ]  ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  150.240420 ] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.240967 ]                                   ^
[  150.241333 ]  ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  150.241885 ]  ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  150.242431 ] ==================================================================

=*=*=*=*=*=*=*=*=  Patch  =*=*=*=*=*=*=*=*=

The patch has been done by Dai Ngo, and it can be found here:
https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo@oracle.com/

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd.


Best Regards,
Xingyuan Mo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.