Bug 2060606 (CVE-2022-0850)

Summary: CVE-2022-0850 kernel: information leak in copy_page_to_iter() in iov_iter.c
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, carnil, chwhite, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpazdziora, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, swood, vkumar, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---Flags: jpazdziora: needinfo? (rkeshri)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.14 rc1 Doc Type: If docs needed, set a value
Doc Text:
An information leak flaw was found via ext4_extent_header in fs/ext4/extents.c in the Linux kernel. This flaw could allow a local attacker to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-04 20:49:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2047348    

Description Rohit Keshri 2022-03-03 20:32:54 UTC 
There is a kernel information leak vulnerability which was produced by my improved syzkaller, The output message is as follows:

Syzkaller hit 'KMSAN: kernel-infoleak in copy_page_to_iter' bug.
​
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user build/../include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout build/../lib/iov_iter.c:156 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter_iovec build/../lib/iov_iter.c:231 [inline]
BUG: KMSAN: kernel-infoleak in __copy_page_to_iter build/../lib/iov_iter.c:855 [inline]
BUG: KMSAN: kernel-infoleak in copy_page_to_iter+0xa65/0x2630 build/../lib/iov_iter.c:883
instrument_copy_to_user build/../include/linux/instrumented.h:121 [inline]
copyout build/../lib/iov_iter.c:156 [inline]
copy_page_to_iter_iovec build/../lib/iov_iter.c:231 [inline]
__copy_page_to_iter build/../lib/iov_iter.c:855 [inline]
copy_page_to_iter+0xa65/0x2630 build/../lib/iov_iter.c:883
filemap_read+0xf7a/0x1b10 build/../mm/filemap.c:2697
generic_file_read_iter+0x19c/0xa50 build/../mm/filemap.c:2792
ext4_file_read_iter+0xa09/0xd10
call_read_iter build/../include/linux/fs.h:2156 [inline]
new_sync_read build/../fs/read_write.c:400 [inline]
vfs_read+0x1631/0x1980 build/../fs/read_write.c:481
ksys_read+0x28b/0x510 build/../fs/read_write.c:619
__do_sys_read build/../fs/read_write.c:629 [inline]
__se_sys_read build/../fs/read_write.c:627 [inline]
__x64_sys_read+0xdb/0x120 build/../fs/read_write.c:627
do_syscall_x64 build/../arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 build/../arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Comment 2 Product Security DevOps Team 2022-03-04 20:49:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0850
Comment 3 Salvatore Bonaccorso 2022-03-05 15:58:48 UTC 
Should this CVE be rejected? I'm not sure as the traces do not completely correspond. There is on one hand https://syzkaller.appspot.com/bug?id=602bc454598b9bc1186ea9f927f6225ef64a397b which was auto-closed as invalid, and https://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8 which though is fixed 5.14-rc1 (with ce3aba43599f0b50adbebff133df8d08a3d5fffe).

Thanks for clarifying.
Comment 4 Rohit Keshri 2022-03-13 13:23:45 UTC 
Hello, looking closely at both the traces we will notice they are similar occurrences and relates to a similar problem.

Below is the trace in common
~~~
 copy_page_to_iter_iovec lib/iov_iter.c:212 [inline]
 copy_page_to_iter+0x77a/0x1ac0 lib/iov_iter.c:846
 generic_file_buffered_read mm/filemap.c:2185 [inline]
 generic_file_read_iter+0x3469/0x4430 mm/filemap.c:2362
 blkdev_read_iter+0x20d/0x270 fs/block_dev.c:1936
 call_read_iter include/linux/fs.h:1801 [inline]
 new_sync_read fs/read_write.c:406 [inline]
~~~

thank you.
Comment 6 Jan Pazdziora 2023-07-29 06:28:16 UTC 
(In reply to Rohit Keshri from comment #4)
> Hello, looking closely at both the traces we will notice they are similar
> occurrences and relates to a similar problem.
> 
> Below is the trace in common
> ~~~
>  copy_page_to_iter_iovec lib/iov_iter.c:212 [inline]
>  copy_page_to_iter+0x77a/0x1ac0 lib/iov_iter.c:846
>  generic_file_buffered_read mm/filemap.c:2185 [inline]
>  generic_file_read_iter+0x3469/0x4430 mm/filemap.c:2362
>  blkdev_read_iter+0x20d/0x270 fs/block_dev.c:1936
>  call_read_iter include/linux/fs.h:1801 [inline]
>  new_sync_read fs/read_write.c:406 [inline]
> ~~~
> 
> thank you.

Hello,

could this be reopened and proper investigation of the code in various RHEL kernel versions done? This bugzilla is WONTFIX indicating the vulnerability is present but we decided not to fix it ... but the CVE page https://access.redhat.com/security/cve/CVE-2022-0850 says Not affected which indicates to the world that the faulty code is not in the product. We might need to figure out which one it is exactly.

Thank you, Jan