oss-sec mailing list archives
Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Sat, 30 Jan 2021 16:46:30 +0800
the patch for this issue in upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b98e762e3d71e893b221f871825dc64694cfb258 Regards, butt3rflyh4ck. On Fri, Jan 29, 2021 at 2:10 AM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:
Hi, I reported a use-after-free Read bug in ndb_queue_rq() in drivers/block/nbd.c and reproduced in linux-5.11.0-rc4+ too. Root Cause: There is a race condition in nbd ioctl. NBD_SET_SIZE_BLOCKS ioctl will call nbd_size_set(), it will change the block size. NBD_SET_SOCK ioctl will call nbd_add_socket() and it will invoke krealloc() to update a block, free and realloc a new one. But nbd_queue_rq() is in runtime. and calls nbd_handle_cmd(), there will use config->sock. there accesses to config->socks without any locking. Patch for this issue: https://lore.kernel.org/linux-block/24dff677353e2e30a71d8b66c4dffdbdf77c4dbd.1611595239.git.josef () toxicpanda com/ CVE assigned: not assigned. Timeline: *2021/1/25 - Vulnerability reported to security () kernel org. *2020/1/26 - Vulnerability confirmed and patched. *2020/1/28 - Vulnerability reported to linux-distros () vs openwall org. *2021/1/29 - Opened on oss-security () lists openwall com. Credit: This issue was discovered by the ADLab of venustech. Regards, butt3rflyh4ck.
Current thread:
- Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 28)
- Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 30)
- Re: Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq Marcus Meissner (Jan 31)
- Re: Linux kernel: linux-block: nbd: use-after-free Read in nbd_queue_rq butt3rflyh4ck (Jan 30)