Bug 1985904
| Summary: | use-after-free in audit_krule_to_data | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Seiji Nishikawa <snishika> |
| Component: | kernel | Assignee: | Richard Guy Briggs <rbriggs> |
| kernel sub component: | Audit | QA Contact: | Linqing Lu <lilu> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | dapospis, sgrubb, vkabatov, xiawu |
| Version: | unspecified | Keywords: | Triaged |
| Target Milestone: | beta | Flags: | pm-rhel:
mirror+
|
| Target Release: | 9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-5.14.0-12.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:38:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Best I can determine is that we are here: memcpy+0x20/0x60 audit_krule_to_data+0x5b2/0xb70 audit_list_rules_send (kernel/auditfilter.c:1092 kernel/auditfilter.c:1181) audit_receive_msg (kernel/audit.c:1308) ? audit_receive (./include/net/netlink.h:631 kernel/audit.c:1542) ? audit_log_feature_change.part.0 (kernel/audit.c:1018 kernel/audit.c:1196) audit_krule_to_data offset is not resolving and that is the key piece of information needed. There are 5 different calls to audit_pack_string() which in turn calls memcpy. But determining which of the calls is important since that points to where the memory came from. Looking at audit_krule_to_data(), there is a memset called for some reason. It does not zero the whole buffer as far as I can tell (0x82/0x110). But it probably should to prevent leaking secrets to user space. 2021-08-23 fix posted upstream https://lkml.org/lkml/2021/8/23/1115 https://listman.redhat.com/archives/linux-audit/2021-August/msg00061.html See https://bugzilla.redhat.com/show_bug.cgi?id=1978123 (dup/clone?) (In reply to Linqing Lu from comment #7) > > There is no kernel-debug* packages in CKI MR builds. > (cc Veronika - any plan/workaround that we can get debug kernel for MR > builds? Thanks!) > > Will skip pre-verification if that's difficult to come by right now. Hi, CKI is planning to add debug kernel builds for x86_64 in Q4. We have to work around the artifact size limitation GitLab has in place, as debug builds are larger than this limit. We'll announce on kernel-info and kernel-qe lists when this functionality is in place. Until then, please use Brew to build debug kernels when they are needed. List of commits available on kernel-5.14.0-12.el9 (1/1):
Related commit: f0685cf84480 ("Merge: audit: move put_tree() to avoid trim_trees refcount underflow and UAF")
Related commit: fcab9483ca9e ("audit: move put_tree() to avoid trim_trees refcount underflow and UAF")
Initial tests passed on RHEL-9.0.0-20211108.7 but Beaker truncated dmesg so the automated test couldn't fully work yet. Manually verified for now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: kernel), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3907 |
Description of problem: use-after-free in audit_krule_to_data Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install 5.14.0-0.rc2.23.el9.x86_64+debug 2. Add the audit rules listed below and reboot ~~~ -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issuessh -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/hostname -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale -a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete -w /etc/sudoers -p wa -k actions -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k actions -w /etc/sudoers.d/ -p wa -k scope find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -w /bin/kmod -p x -k auoms -k kernelmodules -w /var/log/audit -p wxa -k audittampering -k auoms -w /etc/audit -p wxa -k audittampering -k auoms -w /etc/passwd -p x -k auoms -k usergroup -w /etc/group -p x -k auoms -k usergroup -w /etc/pam.d -p wxa -k auoms -k pam -a always,exit -F arch=b32 -S execve,execveat -F key=auoms -a always,exit -F arch=b64 -S execve,execveat -F key=auoms ~~~ 3. Run `auditctl -l` Actual results: The below KASAN use-after-free report is logged in dmesg on boot: ~~~ [ 100.574191] ================================================================== [ 100.575760] BUG: KASAN: use-after-free in audit_krule_to_data+0x5b2/0xb70 [ 100.577103] Read of size 16 at addr ffff8881053a7360 by task auditctl/1404 [ 100.578457] [ 100.578805] CPU: 1 PID: 1404 Comm: auditctl Tainted: G ---------h--- 5.14.0-0.rc2.23.el9.x86_64+debug #1 [ 100.581040] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 100.583205] Call Trace: [ 100.583747] dump_stack_lvl+0x57/0x7d [ 100.584527] print_address_description.constprop.0+0x1f/0x140 [ 100.585717] ? audit_krule_to_data+0x5b2/0xb70 [ 100.586648] __kasan_report.cold+0x7f/0x11e [ 100.587536] ? audit_krule_to_data+0x5b2/0xb70 [ 100.589889] kasan_report+0x38/0x50 [ 100.592035] kasan_check_range+0xf5/0x1d0 [ 100.594270] memcpy+0x20/0x60 [ 100.596285] audit_krule_to_data+0x5b2/0xb70 [ 100.598547] audit_list_rules_send+0x2d8/0x4c0 [ 100.600815] audit_receive_msg+0xaa3/0x1ae0 [ 100.602982] ? audit_receive+0x7c/0x1b0 [ 100.605059] ? audit_log_feature_change.part.0+0x160/0x160 [ 100.607461] ? __mutex_lock+0xb77/0x1170 [ 100.609567] ? audit_receive+0x7c/0x1b0 [ 100.611687] ? mutex_lock_io_nested+0xfc0/0xfc0 [ 100.613933] ? __lock_release+0x494/0xa40 [ 100.616072] ? rcu_read_unlock+0x40/0x40 [ 100.618173] ? lock_downgrade+0x110/0x110 [ 100.620311] audit_receive+0xd7/0x1b0 [ 100.622313] netlink_unicast+0x430/0x700 [ 100.624379] ? netlink_attachskb+0x750/0x750 [ 100.626504] ? __lock_release+0x494/0xa40 [ 100.628588] netlink_sendmsg+0x72a/0xc70 [ 100.630641] ? netlink_unicast+0x700/0x700 [ 100.632727] ? kmem_cache_alloc_trace+0x1ae/0x330 [ 100.634922] ? netlink_unicast+0x700/0x700 [ 100.636971] sock_sendmsg+0xe4/0x110 [ 100.638893] __sys_sendto+0x1aa/0x280 [ 100.640802] ? __ia32_sys_getpeername+0xb0/0xb0 [ 100.642877] ? find_held_lock+0x33/0x110 [ 100.644811] ? lock_downgrade+0x110/0x110 [ 100.646715] ? rcu_read_unlock+0x40/0x40 [ 100.648592] ? lockdep_hardirqs_on_prepare.part.0+0x19a/0x350 [ 100.650782] ? ktime_get_coarse_real_ts64+0x128/0x160 [ 100.652782] ? trace_hardirqs_on+0x1c/0x160 [ 100.654628] ? ktime_get_coarse_real_ts64+0x128/0x160 [ 100.656655] __x64_sys_sendto+0xdc/0x1b0 [ 100.658437] ? syscall_trace_enter.constprop.0+0x189/0x260 [ 100.660538] do_syscall_64+0x3b/0x90 [ 100.662264] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 100.664295] RIP: 0033:0x7f60d3290d68 [ 100.666030] Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 8b 05 e6 d6 20 00 41 89 ca 85 c0 75 17 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 78 c3 0f 1f 80 00 00 00 00 41 57 4d 89 c7 41 [ 100.673046] RSP: 002b:00007ffff2966c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 100.673064] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007f60d3290d68 [ 100.673069] RDX: 0000000000000010 RSI: 00007ffff2966cc0 RDI: 0000000000000003 [ 100.673073] RBP: 0000000000000003 R08: 00007ffff2966cac R09: 000000000000000c [ 100.683739] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffff2966cc0 [ 100.686375] R13: 00007ffff2966cac R14: 0000000000000001 R15: 0000000000000000 [ 100.689066] [ 100.690623] Allocated by task 1325: [ 100.692576] kasan_save_stack+0x1b/0x40 [ 100.694601] __kasan_kmalloc+0x7c/0x90 [ 100.696604] kernfs_fop_open+0x7b3/0xbb0 [ 100.698641] do_dentry_open+0x427/0xec0 [ 100.700678] do_open+0x698/0xec0 [ 100.702573] path_openat+0x27d/0x680 [ 100.704530] do_filp_open+0x1aa/0x3e0 [ 100.706512] do_sys_openat2+0x122/0x370 [ 100.708522] __x64_sys_openat+0x11f/0x1d0 [ 100.710570] do_syscall_64+0x3b/0x90 [ 100.712514] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 100.714759] [ 100.716310] Last potentially related work creation: [ 100.718534] kasan_save_stack+0x1b/0x40 [ 100.720565] kasan_record_aux_stack+0xa5/0xb0 [ 100.722695] kvfree_call_rcu+0x79/0x7b0 [ 100.724728] audit_trim_trees+0x434/0x530 [ 100.726784] audit_receive_msg+0xd46/0x1ae0 [ 100.728863] audit_receive+0xd7/0x1b0 [ 100.730826] netlink_unicast+0x430/0x700 [ 100.732828] netlink_sendmsg+0x72a/0xc70 [ 100.734815] sock_sendmsg+0xe4/0x110 [ 100.736723] __sys_sendto+0x1aa/0x280 [ 100.738637] __x64_sys_sendto+0xdc/0x1b0 [ 100.740595] do_syscall_64+0x3b/0x90 [ 100.742469] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 100.744597] [ 100.745986] The buggy address belongs to the object at ffff8881053a7300 [ 100.745986] which belongs to the cache kmalloc-128 of size 128 [ 100.750502] The buggy address is located 96 bytes inside of [ 100.750502] 128-byte region [ffff8881053a7300, ffff8881053a7380) [ 100.754809] The buggy address belongs to the page: [ 100.756804] page:000000004fcb5951 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881053a7e00 pfn:0x1053a7 [ 100.761082] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 100.763579] raw: 0017ffffc0000200 ffffea0000095348 ffffea0000281888 ffff8881000418c0 [ 100.766258] raw: ffff8881053a7e00 000000000010000c 00000001ffffffff 0000000000000000 [ 100.768955] page dumped because: kasan: bad access detected [ 100.771261] [ 100.772781] Memory state around the buggy address: [ 100.774959] ffff8881053a7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 100.777639] ffff8881053a7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 100.780353] >ffff8881053a7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.783073] ^ [ 100.785657] ffff8881053a7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 100.788442] ffff8881053a7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 100.791253] ================================================================== [ 100.794073] Disabling lock debugging due to kernel taint ~~~ Expected results: No use-after-free in audit_krule_to_data Additional info: