Bug 2255987

Summary: kernel: slab-use-after-free in iommufd_test
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jahealy, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mmilgram, mstowell, nmurray, npecka, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A slab-use-after-free vulnerability was found in the Linux kernel 6.6. Invoking the iommufd_test call in the iommufd driver can result in a crash and kernel panic.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2255988    

Description ybuenos 2023-12-27 15:03:40 UTC 
A bug was found in Linux Kernel 6.6+: KASAN: slab-use-after-free in iommufd_test 

Email received from: zhiyuzhang999
Recipients: secalert

Hi RedHat Product Security,

I am fuzzing a LTS version of Linux kernel 6.6 with my modified
syzkaller and I find a bug named "KASAN: slab-use-after-free in
iommufd_test". By analyzing the call trace in bug report, I address
the root cause of this bug at drivers/iommu/iommufd. An iommufd_object
is allocated in one task through
iommufd_fops_ioctl->iommufd_ioas_alloc_ioctl->iommufd_ioas_alloc and
freed in another task through iommufd_fops_ioctl->iommufd_destroy.
Then when the kernel invokes the calls
iommufd_fops_ioctl->iommufd_test->iommufd_test_add_reserved->iommufd_put_object,
an use-after-free read will occur. Detailed report, log, repro, config
can be found in this google drive link:
https://drive.usercontent.google.com/download?id=1nDJWUstYJNcC1zJ6q1rhB5zB0uV2yGvg&export=download&authuser=0&confirm=t

The steps to reproduce the bug:
1. compile the kernel 6.6 with provided Linux-6.6.config
2. boot a qemu vm that runs the compiled kernel
3. scp the repro.c (repro.prog is not recommended) to the vm and
compile it with gcc -pthread repro.c -o repro
4. execute ./repro and you will see the output stucks for a while and
then KASAN is triggered and kernel panic.
5. you can speed up the crash by setting up another ssh shell to
execute ./repro again.

I have reproduced it on 6.6 and 6.6.1 (haven't verified on the latest
ver 6.6.8 yet). But I didn't find any related reports on the internet,
which indicates that it may be a 0day.

I have also reported this bug to upstream
(https://lore.kernel.org/linux-iommu/CALf2hKsJjDY3OhtMCxhHh7rS=2S4Oq9Ns=t-NFq1MPD=f0K02Q@mail.gmail.com/T/#u).
And I'll be happy to assist if needed.

Best,
Zhiyu Zhang