Hi team, could you please check the report below? (CVE Pending) Reference: https://redhat.service-now.com/surl.do?n=INC2105149 ------------ Email received from: kylin.formalin Recipients: secalert Hi there, I found two concurrency use-after-free bugs in the Linux kernel and patch them together with the maintainers. The upstream commit can be found below: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469 The detail of these bugs is quite clear: when a mkiss or a sixpack device is detaching, it reclaims the buffer resource too soon while there can be some packets still utilizing these buffers. You can refer to the commit message for the thread interleaving cases. Below is the KASan report when the UAF happens: [ 26.882075] ================================================================== [ 26.882075] BUG: KASAN: use-after-free in tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] Read of size 85 at addr ffff88800690d000 by task trigger/141 [ 26.882075] [ 26.882075] CPU: 3 PID: 141 Comm: trigger Not tainted 5.11.0 #6 [ 26.882075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 26.882075] Call Trace: [ 26.882075] dump_stack+0x7d/0xa3 [ 26.882075] print_address_description.constprop.0+0x18/0x130 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] kasan_report.cold+0x7f/0x10e [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] check_memory_region+0xf9/0x1e0 [ 26.882075] memcpy+0x20/0x60 [ 26.882075] tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] pty_write+0xfa/0x1b0 [ 26.882075] ? pty_set_termios+0x5d0/0x5d0 [ 26.882075] ax_encaps+0x9c9/0xb60 [ 26.882075] ax_xmit+0x36a/0x37e [ 26.882075] dev_hard_start_xmit+0x160/0x500 [ 26.882075] sch_direct_xmit+0x20b/0xa00 [ 26.882075] ? qdisc_put_unlocked+0x50/0x50 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? pfifo_fast_dequeue+0x275/0xa30 [ 26.882075] __qdisc_run+0x3a0/0x1390 [ 26.882075] __dev_queue_xmit+0xabb/0x1b10 [ 26.882075] ? netdev_core_pick_tx+0x2a0/0x2a0 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? memcpy+0x39/0x60 [ 26.882075] ? ax25_addr_build+0x7e/0x2a0 [ 26.882075] ax25_sendmsg+0xb70/0x1090 [ 26.882075] ? selinux_inode_notifysecctx+0x20/0x20 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] ? __fget_files+0x15b/0x210 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] sock_sendmsg+0xdf/0x110 [ 26.882075] __sys_sendto+0x19e/0x270 [ 26.882075] ? __ia32_sys_getpeername+0xa0/0xa0 [ 26.882075] ? copy_init_fpstate_to_fpregs+0x70/0x70 [ 26.882075] __x64_sys_sendto+0xd8/0x1b0 [ 26.882075] ? exit_to_user_mode_prepare+0x2c/0x120 [ 26.882075] do_syscall_64+0x33/0x40 [ 26.882075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.882075] RIP: 0033:0x7f2fd4c4bf64 [ 26.882075] Code: 89 4c 24 1c e8 cd f8 ff ff 44 8b 54 24 1c 8b 3c 24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00 00 04 [ 26.882075] RSP: 002b:00007f2fd4263da0 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 26.882075] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2fd4c4bf64 [ 26.882075] RDX: 0000000000000040 RSI: 00007f2fd4263df0 RDI: 0000000000000005 [ 26.882075] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.882075] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff4cf08efe [ 26.882075] R13: 00007fff4cf08eff R14: 00007f2fd4263fc0 R15: 00007f2fd4264700 [ 26.882075] [ 26.882075] Allocated by task 138: [ 26.882075] kasan_save_stack+0x1b/0x40 [ 26.882075] ____kasan_kmalloc.constprop.0+0x84/0xa0 [ 26.882075] mkiss_open+0x375/0x700 [ 26.882075] tty_ldisc_open+0x76/0xc0 [ 26.882075] tty_set_ldisc+0x262/0x590 [ 26.882075] tty_ioctl+0x572/0x1360 [ 26.882075] __x64_sys_ioctl+0x122/0x190 [ 26.882075] do_syscall_64+0x33/0x40 [ 26.882075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.882075] [ 26.882075] Freed by task 140: [ 26.882075] kasan_save_stack+0x1b/0x40 [ 26.882075] kasan_set_track+0x1c/0x30 [ 26.882075] kasan_set_free_info+0x20/0x30 [ 26.882075] ____kasan_slab_free+0xec/0x120 [ 26.882075] kfree+0x8f/0x230 [ 26.882075] mkiss_close+0x152/0x1d0 [ 26.882075] tty_ldisc_hangup+0x227/0x5f0 [ 26.882075] __tty_hangup.part.0+0x3f0/0x890 [ 26.882075] tty_release+0x3a8/0xc80 [ 26.882075] __fput+0x19d/0x760 [ 26.882075] task_work_run+0xbd/0x140 [ 26.882075] exit_to_user_mode_prepare+0x114/0x120 [ 26.882075] syscall_exit_to_user_mode+0x1d/0x40 [ 26.882075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 26.882075] [ 26.882075] The buggy address belongs to the object at ffff88800690d000 [ 26.882075] which belongs to the cache kmalloc-2k of size 2048 [ 26.882075] The buggy address is located 0 bytes inside of [ 26.882075] 2048-byte region [ffff88800690d000, ffff88800690d800) [ 26.882075] The buggy address belongs to the page: [ 26.882075] page:00000000f84476af refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6908 [ 26.882075] head:00000000f84476af order:3 compound_mapcount:0 compound_pincount:0 [ 26.882075] flags: 0x100000000010200(slab|head) [ 26.882075] raw: 0100000000010200 0000000000000000 0000000100000001 ffff888006043040 [ 26.882075] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 26.882075] page dumped because: kasan: bad access detected [ 26.882075] [ 26.882075] Memory state around the buggy address: [ 26.882075] ffff88800690cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.882075] ffff88800690cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.882075] >ffff88800690d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.882075] ^ [ 26.882075] ffff88800690d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.882075] ffff88800690d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.882075] ==================================================================
*** This bug has been marked as a duplicate of bug 2056381 ***