![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open
From: Xingyuan Mo <hdthky0 () gmail com>
Date: Wed, 14 Dec 2022 16:31:25 +0800
Hello, We found a use-after-free vulnerability in __nfs42_ssc_open() in NFS subsystem of Linux through v6.1 which allows an attacker to trigger remote denial of service. =*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*= The use-after-free violation is caused by dereferencing a vfsmount which is freed but still remains on the delayed unmount list. The reason the vfsmount is freed is that nfs42_ssc_open returns an error when called in nfsd4_do_async_copy. During my testing, this bug can be triggered by two consecutive inter-server-side copies, if the first one encounters some kind of error. =*=*=*=*=*=*=*=*= Backtrace =*=*=*=*=*=*=*=*= [ 150.198088 ] ================================================================== [ 150.199766 ] BUG: KASAN: use-after-free in __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.201108 ] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375 [ 150.203035 ] [ 150.203392 ] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20 [ 150.204790 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/04 [ 150.206709 ] Call Trace: [ 150.207271 ] <TASK> [ 150.207740 ] dump_stack_lvl (lib/dump_stack.c:107) [ 150.208562 ] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395) [ 150.209385 ] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65) [ 150.210296 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.211184 ] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) [ 150.211967 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.212742 ] __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.213343 ] ? _raw_read_lock_bh (kernel/locking/spinlock.c:161) [ 150.213935 ] nfsd4_do_async_copy (./include/linux/nfs_ssc.h:47 fs/nfsd/nfs4proc.c:1764) [ 150.214520 ] ? preempt_count_sub (kernel/sched/core.c:5697) [ 150.215133 ] ? __kthread_parkme (kernel/kthread.c:283) [ 150.215769 ] ? nfsd4_read (fs/nfsd/nfs4proc.c:1757) [ 150.216349 ] kthread (kernel/kthread.c:376) [ 150.216873 ] ? kthread_complete_and_exit (kernel/kthread.c:331) [ 150.217630 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.218206 ] </TASK> [ 150.218551 ] [ 150.218803 ] Allocated by task 350: [ 150.219348 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.219938 ] kasan_set_track (mm/kasan/common.c:52) [ 150.220522 ] __kasan_slab_alloc (mm/kasan/common.c:328) [ 150.221148 ] kmem_cache_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 mm/slub.c:3406 mm/slub.c:3413 mm/slub.c:3422) [ 150.221786 ] alloc_vfsmnt (./include/linux/slab.h:679 fs/namespace.c:198) [ 150.222348 ] vfs_create_mount (fs/namespace.c:1017) [ 150.222919 ] vfs_kern_mount.part.48 (fs/namespace.c:1073) [ 150.223376 ] nfsd4_interssc_connect.isra.24 (fs/nfsd/nfs4proc.c:1443) [ 150.223915 ] nfsd4_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805) [ 150.224249 ] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2710) [ 150.224647 ] nfsd_dispatch (fs/nfsd/nfssvc.c:1056) [ 150.225000 ] svc_process_common (net/sunrpc/svc.c:1339) [ 150.225403 ] svc_process (net/sunrpc/svc.c:1463) [ 150.225735 ] nfsd (fs/nfsd/nfssvc.c:979) [ 150.226022 ] kthread (kernel/kthread.c:376) [ 150.226330 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.226662 ] [ 150.226810 ] Freed by task 0: [ 150.227072 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.227417 ] kasan_set_track (mm/kasan/common.c:52) [ 150.227765 ] kasan_save_free_info (mm/kasan/generic.c:513) [ 150.228134 ] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) [ 150.228497 ] kmem_cache_free (mm/slub.c:1750 mm/slub.c:3661 mm/slub.c:3683) [ 150.228842 ] rcu_core (./arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510) [ 150.229144 ] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 150.229483 ] [ 150.229636 ] Last potentially related work creation: [ 150.230102 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.230470 ] __kasan_record_aux_stack (mm/kasan/generic.c:481) [ 150.230901 ] call_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) ./arch/x86/include/asm/irqflags.h:70 (discriminator 3) ./arch/x86/include/asm/irqflags.h:106 (discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3)) [ 150.231214 ] mntput_no_expire (fs/namespace.c:1272) [ 150.231586 ] nfsd4_do_async_copy (./include/linux/slab.h:553 ./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 fs/nfsd/nfs4proc.c:1787) [ 150.231980 ] kthread (kernel/kthread.c:376) [ 150.232295 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.232637 ] [ 150.232792 ] The buggy address belongs to the object at ffff888008bbc480 [ 150.232792 ] which belongs to the cache mnt_cache of size 320 [ 150.233849 ] The buggy address is located 40 bytes inside of [ 150.233849 ] 320-byte region [ffff888008bbc480, ffff888008bbc5c0) [ 150.234828 ] [ 150.234970 ] The buggy address belongs to the physical page: [ 150.235442 ] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfnc [ 150.236154 ] head:00000000711edc3f order:1 compound_mapcount:0 compound_pincount:0 [ 150.236724 ] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 150.237193 ] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0 [ 150.237784 ] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 150.238367 ] page dumped because: kasan: bad access detected [ 150.238804 ] [ 150.238934 ] Memory state around the buggy address: [ 150.239304 ] ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.239868 ] ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 150.240420 ] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.240967 ] ^ [ 150.241333 ] ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.241885 ] ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 150.242431 ] ================================================================== =*=*=*=*=*=*=*=*= Patch =*=*=*=*=*=*=*=*= The patch has been done by Dai Ngo, and it can be found here: https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo () oracle com/ =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd. Best Regards, Xingyuan Mo
Current thread:
- CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open Xingyuan Mo (Dec 14)