oss-sec mailing list archives
Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Fri, 29 Jan 2021 02:10:20 +0800
Hi, I reported a use-after-free Read bug in ndb_queue_rq() in drivers/block/nbd.c and reproduced in linux-5.11.0-rc4+ too. Root Cause: There is a race condition in nbd ioctl. NBD_SET_SIZE_BLOCKS ioctl will call nbd_size_set(), it will change the block size. NBD_SET_SOCK ioctl will call nbd_add_socket() and it will invoke krealloc() to update a block, free and realloc a new one. But nbd_queue_rq() is in runtime. and calls nbd_handle_cmd(), there will use config->sock. there accesses to config->socks without any locking. Patch for this issue: https://lore.kernel.org/linux-block/24dff677353e2e30a71d8b66c4dffdbdf77c4dbd.1611595239.git.josef () toxicpanda com/ CVE assigned: not assigned. Timeline: *2021/1/25 - Vulnerability reported to security () kernel org. *2020/1/26 - Vulnerability confirmed and patched. *2020/1/28 - Vulnerability reported to linux-distros () vs openwall org. *2021/1/29 - Opened on oss-security () lists openwall com. Credit: This issue was discovered by the ADLab of venustech. Regards, butt3rflyh4ck.
Current thread:
- Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 28)
- Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 30)
- Re: Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq Marcus Meissner (Jan 31)
- Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 30)