Bug 2060606 (CVE-2022-0850)

Summary: CVE-2022-0850 kernel: information leak in copy_page_to_iter() in iov_iter.c
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, carnil, chwhite, crwood, dfreiber, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpazdziora, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, pmatouse, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steved, vkumar, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.14 rc1 Doc Type: If docs needed, set a value
Doc Text:
An information leak flaw was found via ext4_extent_header in fs/ext4/extents.c in the Linux kernel. This flaw could allow a local attacker to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-04 20:49:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2006441, 2046355, 2233466, 2233467    
Bug Blocks: 2047348    

Description Rohit Keshri 2022-03-03 20:32:54 UTC 
There is a kernel information leak vulnerability which was produced by my improved syzkaller, The output message is as follows:

Syzkaller hit 'KMSAN: kernel-infoleak in copy_page_to_iter' bug.
​
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user build/../include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout build/../lib/iov_iter.c:156 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter_iovec build/../lib/iov_iter.c:231 [inline]
BUG: KMSAN: kernel-infoleak in __copy_page_to_iter build/../lib/iov_iter.c:855 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter+0xa65/0x2630 build/../lib/iov_iter.c:883
instrument_copy_to_user build/../include/linux/instrumented.h:121 [inline]
copyout build/../lib/iov_iter.c:156 [inline]
copy_page_to_iter_iovec build/../lib/iov_iter.c:231 [inline]
__copy_page_to_iter build/../lib/iov_iter.c:855 [inline]
copy_page_to_iter+0xa65/0x2630 build/../lib/iov_iter.c:883
filemap_read+0xf7a/0x1b10 build/../mm/filemap.c:2697
generic_file_read_iter+0x19c/0xa50 build/../mm/filemap.c:2792
ext4_file_read_iter+0xa09/0xd10
call_read_iter build/../include/linux/fs.h:2156 [inline]
new_sync_read build/../fs/read_write.c:400 [inline]
vfs_read+0x1631/0x1980 build/../fs/read_write.c:481
ksys_read+0x28b/0x510 build/../fs/read_write.c:619
__do_sys_read build/../fs/read_write.c:629 [inline]
__se_sys_read build/../fs/read_write.c:627 [inline]
__x64_sys_read+0xdb/0x120 build/../fs/read_write.c:627
do_syscall_x64 build/../arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 build/../arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae

Refer:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce3aba43599f0b50adbebff133df8d08a3d5fffe
Comment 2 Product Security DevOps Team 2022-03-04 20:49:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0850
Comment 3 Salvatore Bonaccorso 2022-03-05 15:58:48 UTC 
Should this CVE be rejected? I'm not sure as the traces do not completely correspond. There is on one hand https://syzkaller.appspot.com/bug?id=602bc454598b9bc1186ea9f927f6225ef64a397b which was auto-closed as invalid, and https://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8 which though is fixed 5.14-rc1 (with ce3aba43599f0b50adbebff133df8d08a3d5fffe).

Thanks for clarifying.
Comment 4 Rohit Keshri 2022-03-13 13:23:45 UTC 
Hello, looking closely at both the traces we will notice they are similar occurrences and relates to a similar problem.

Below is the trace in common
~~~
 copy_page_to_iter_iovec lib/iov_iter.c:212 [inline]
 copy_page_to_iter+0x77a/0x1ac0 lib/iov_iter.c:846
 generic_file_buffered_read mm/filemap.c:2185 [inline]
 generic_file_read_iter+0x3469/0x4430 mm/filemap.c:2362
 blkdev_read_iter+0x20d/0x270 fs/block_dev.c:1936
 call_read_iter include/linux/fs.h:1801 [inline]
 new_sync_read fs/read_write.c:406 [inline]
~~~

thank you.
Comment 12 Mauro Matteo Cascella 2023-08-22 09:49:35 UTC 
This issue was fixed upstream in kernel version 5.14. The kernel packages as shipped in Red Hat Enterprise Linux 8 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2022:1988

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2022:1975
Comment 14 Jan Pazdziora 2023-08-28 10:46:22 UTC 
Thank you Mauro for the necessary changes to get https://access.redhat.com/security/cve/CVE-2022-0850 content correct.