Bug 2056382

Summary: kernel: possible race condition (use-after-free) in drivers/net/hamradio/mkiss.c
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-31 12:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description TEJ RATHI 2022-02-21 06:18:47 UTC
Hi team, could you please check the report below? (CVE Pending)

Reference:
https://redhat.service-now.com/surl.do?n=INC2105149

------------
Email received from: kylin.formalin
Recipients: secalert

Hi there,

I found two concurrency use-after-free bugs in the Linux kernel and patch them together with the maintainers. The upstream commit can be found below:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469

The detail of these bugs is quite clear: when a mkiss or a sixpack device is detaching, it reclaims the buffer resource too soon while there can be some packets still utilizing these buffers. You can refer to the commit message for the thread interleaving cases.

Below is the KASan report when the UAF happens:

[   26.882075]
==================================================================
[   26.882075] BUG: KASAN: use-after-free in
tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075] Read of size 85 at addr ffff88800690d000 by task trigger/141
[   26.882075]
[   26.882075] CPU: 3 PID: 141 Comm: trigger Not tainted 5.11.0 #6
[   26.882075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   26.882075] Call Trace:
[   26.882075]  dump_stack+0x7d/0xa3
[   26.882075]  print_address_description.constprop.0+0x18/0x130
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  kasan_report.cold+0x7f/0x10e
[   26.882075]  ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  check_memory_region+0xf9/0x1e0
[   26.882075]  memcpy+0x20/0x60
[   26.882075]  tty_insert_flip_string_fixed_flag+0xd8/0x1e0
[   26.882075]  pty_write+0xfa/0x1b0
[   26.882075]  ? pty_set_termios+0x5d0/0x5d0
[   26.882075]  ax_encaps+0x9c9/0xb60
[   26.882075]  ax_xmit+0x36a/0x37e
[   26.882075]  dev_hard_start_xmit+0x160/0x500
[   26.882075]  sch_direct_xmit+0x20b/0xa00
[   26.882075]  ? qdisc_put_unlocked+0x50/0x50
[   26.882075]  ? sysvec_apic_timer_interrupt+0x33/0xd0
[   26.882075]  ? pfifo_fast_dequeue+0x275/0xa30
[   26.882075]  __qdisc_run+0x3a0/0x1390
[   26.882075]  __dev_queue_xmit+0xabb/0x1b10
[   26.882075]  ? netdev_core_pick_tx+0x2a0/0x2a0
[   26.882075]  ? sysvec_apic_timer_interrupt+0x33/0xd0
[   26.882075]  ? memcpy+0x39/0x60
[   26.882075]  ? ax25_addr_build+0x7e/0x2a0
[   26.882075]  ax25_sendmsg+0xb70/0x1090
[   26.882075]  ? selinux_inode_notifysecctx+0x20/0x20
[   26.882075]  ? ax25_device_event+0x210/0x210
[   26.882075]  ? __fget_files+0x15b/0x210
[   26.882075]  ? ax25_device_event+0x210/0x210
[   26.882075]  sock_sendmsg+0xdf/0x110
[   26.882075]  __sys_sendto+0x19e/0x270
[   26.882075]  ? __ia32_sys_getpeername+0xa0/0xa0
[   26.882075]  ? copy_init_fpstate_to_fpregs+0x70/0x70
[   26.882075]  __x64_sys_sendto+0xd8/0x1b0
[   26.882075]  ? exit_to_user_mode_prepare+0x2c/0x120
[   26.882075]  do_syscall_64+0x33/0x40
[   26.882075]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   26.882075] RIP: 0033:0x7f2fd4c4bf64
[   26.882075] Code: 89 4c 24 1c e8 cd f8 ff ff 44 8b 54 24 1c 8b 3c 24 45
31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00 00 04
[   26.882075] RSP: 002b:00007f2fd4263da0 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[   26.882075] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f2fd4c4bf64
[   26.882075] RDX: 0000000000000040 RSI: 00007f2fd4263df0 RDI:
0000000000000005
[   26.882075] RBP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[   26.882075] R10: 0000000000000000 R11: 0000000000000246 R12:
00007fff4cf08efe
[   26.882075] R13: 00007fff4cf08eff R14: 00007f2fd4263fc0 R15:
00007f2fd4264700
[   26.882075]
[   26.882075] Allocated by task 138:
[   26.882075]  kasan_save_stack+0x1b/0x40
[   26.882075]  ____kasan_kmalloc.constprop.0+0x84/0xa0
[   26.882075]  mkiss_open+0x375/0x700
[   26.882075]  tty_ldisc_open+0x76/0xc0
[   26.882075]  tty_set_ldisc+0x262/0x590
[   26.882075]  tty_ioctl+0x572/0x1360
[   26.882075]  __x64_sys_ioctl+0x122/0x190
[   26.882075]  do_syscall_64+0x33/0x40
[   26.882075]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   26.882075]
[   26.882075] Freed by task 140:
[   26.882075]  kasan_save_stack+0x1b/0x40
[   26.882075]  kasan_set_track+0x1c/0x30
[   26.882075]  kasan_set_free_info+0x20/0x30
[   26.882075]  ____kasan_slab_free+0xec/0x120
[   26.882075]  kfree+0x8f/0x230
[   26.882075]  mkiss_close+0x152/0x1d0
[   26.882075]  tty_ldisc_hangup+0x227/0x5f0
[   26.882075]  __tty_hangup.part.0+0x3f0/0x890
[   26.882075]  tty_release+0x3a8/0xc80
[   26.882075]  __fput+0x19d/0x760
[   26.882075]  task_work_run+0xbd/0x140
[   26.882075]  exit_to_user_mode_prepare+0x114/0x120
[   26.882075]  syscall_exit_to_user_mode+0x1d/0x40
[   26.882075]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   26.882075]
[   26.882075] The buggy address belongs to the object at ffff88800690d000
[   26.882075]  which belongs to the cache kmalloc-2k of size 2048
[   26.882075] The buggy address is located 0 bytes inside of
[   26.882075]  2048-byte region [ffff88800690d000, ffff88800690d800)
[   26.882075] The buggy address belongs to the page:
[   26.882075] page:00000000f84476af refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x6908
[   26.882075] head:00000000f84476af order:3 compound_mapcount:0
compound_pincount:0
[   26.882075] flags: 0x100000000010200(slab|head)
[   26.882075] raw: 0100000000010200 0000000000000000 0000000100000001
ffff888006043040
[   26.882075] raw: 0000000000000000 0000000080080008 00000001ffffffff
0000000000000000
[   26.882075] page dumped because: kasan: bad access detected
[   26.882075]
[   26.882075] Memory state around the buggy address:
[   26.882075]  ffff88800690cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
[   26.882075]  ffff88800690cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
[   26.882075] >ffff88800690d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[   26.882075]                    ^
[   26.882075]  ffff88800690d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[   26.882075]  ffff88800690d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[   26.882075]
==================================================================

Comment 1 Rohit Keshri 2022-03-31 12:12:14 UTC

*** This bug has been marked as a duplicate of bug 2056381 ***