oss-sec mailing list archives
CVE-2022-1975: Linux kernel: sleep in atomic context bug when nfc firmware download timeout
From: duoming () zju edu cn
Date: Sun, 5 Jun 2022 10:51:54 +0800 (GMT+08:00)
Hello there, There are sleep in atomic context bugs that could cause kernel panic during nfc firmware download process. =*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*= The root cause of this bug is that nlmsg_new with GFP_KERNEL parameter is called in fw_dnld_timeout which is a timer handler. The nlmsg_new with GFP_KERNEL parameter may sleep during memory allocation process, and the timer handler is run as the result of a "software interrupt" that should not call any other functions that could sleep. =*=*=*=*=*=*=*=*= Bug Effects =*=*=*=*=*=*=*=*= We can successfully trigger the vulnerabilities to crash the linux kernel. [ 41.852019] general protection fault, probably for non-canonical address 0xdead00000000012a: 0000 [#1] PREEMPT SMP NOPTI [ 41.871262] (NULL device *): NFC: FW loading timeout [ 41.852019] RIP: 0010:__run_timers.part.0+0x391/0x500 [ 41.852019] Code: 00 48 8b 45 08 48 89 c7 48 89 04 24 e8 f8 54 0e 00 48 8b 04 24 4c 89 30 4d 85 f6 74 11 49 8d 7e 08 e8 9 [ 41.852019] RSP: 0018:ffffc900000c8ec0 EFLAGS: 00000046 [ 41.852019] RAX: ffffc900000c8ef0 RBX: ffffc900000c8ef0 RCX: ffffffff8116927d [ 41.852019] RDX: 000000000000038b RSI: 0001ffffffffffff RDI: dead00000000012a [ 41.852019] RBP: ffff8880046cbd20 R08: ffffffff8417ab78 R09: 0000000000000000 [ 41.852019] R10: 0000000000000001 R11: 0000000000000002 R12: ffff88807dc9bf00 [ 41.852019] R13: ffff88807dc9bf40 R14: dead000000000122 R15: ffff8880046cbd28 [ 41.852019] FS: 0000000000000000(0000) GS:ffff88807dc80000(0000) knlGS:0000000000000000 [ 41.852019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.852019] CR2: 00007fa7f0229180 CR3: 0000000003222000 CR4: 00000000000006e0 [ 41.852019] Call Trace: [ 41.852019] <IRQ> [ 41.852019] ? clockevents_program_event+0xd9/0x150 [ 41.852019] ? tick_program_event+0x50/0x90 [ 41.852019] run_timer_softirq+0x4f/0xa0 [ 41.852019] __do_softirq+0x11d/0x363 [ 41.852019] irq_exit_rcu+0xb0/0x100 [ 41.852019] sysvec_apic_timer_interrupt+0x8f/0xc0 [ 41.852019] </IRQ> [ 41.852019] <TASK> [ 41.852019] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 41.852019] RIP: 0010:rescuer_thread+0x5a5/0x6d0 [ 41.852019] Code: 00 48 8b 03 48 39 c3 0f 84 cf 00 00 00 48 c7 c7 60 d3 26 83 e8 7c 61 58 01 e9 cd fe ff ff 48 c7 c7 60 7 [ 41.852019] RSP: 0018:ffffc90000e03e70 EFLAGS: 00000286 [ 41.852019] RAX: 0000000080000000 RBX: ffff88800729c0e8 RCX: 0000000000000000 [ 41.852019] RDX: 0000000000000001 RSI: 0001ffff8326d360 RDI: 00000000ffffffff [ 41.852019] RBP: ffff8880073e802c R08: ffffffff8417ace0 R09: 0000000000000000 [ 41.852019] R10: 0001ffffffffffff R11: ffffffff811125a7 R12: ffff8880073af700 [ 41.852019] R13: ffffc9000027fb68 R14: ffff88800729c000 R15: ffff8880073e8000 [ 41.852019] ? do_raw_spin_unlock+0x97/0xf0 [ 41.852019] ? __this_cpu_preempt_check+0xf/0x10 [ 41.852019] ? lock_release+0x13c/0x2c0 [ 41.852019] ? do_raw_spin_unlock+0x97/0xf0 [ 41.852019] ? process_one_work+0xa80/0xa80 [ 41.852019] kthread+0x17e/0x1b0 [ 41.852019] ? kthread_complete_and_exit+0x20/0x20 [ 41.852019] ret_from_fork+0x22/0x30 [ 41.852019] </TASK> [ 41.852019] Modules linked in: [ 41.852019] ---[ end trace 0000000000000000 ]--- [ 41.852019] RIP: 0010:__run_timers.part.0+0x391/0x500 [ 41.852019] Code: 00 48 8b 45 08 48 89 c7 48 89 04 24 e8 f8 54 0e 00 48 8b 04 24 4c 89 30 4d 85 f6 74 11 49 8d 7e 08 e8 9 [ 41.852019] RSP: 0018:ffffc900000c8ec0 EFLAGS: 00000046 [ 41.852019] RAX: ffffc900000c8ef0 RBX: ffffc900000c8ef0 RCX: ffffffff8116927d [ 41.852019] RDX: 000000000000038b RSI: 0001ffffffffffff RDI: dead00000000012a [ 41.852019] RBP: ffff8880046cbd20 R08: ffffffff8417ab78 R09: 0000000000000000 [ 41.852019] R10: 0000000000000001 R11: 0000000000000002 R12: ffff88807dc9bf00 [ 41.852019] R13: ffff88807dc9bf40 R14: dead000000000122 R15: ffff8880046cbd28 [ 41.852019] FS: 0000000000000000(0000) GS:ffff88807dc80000(0000) knlGS:0000000000000000 [ 41.852019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.852019] CR2: 00007fa7f0229180 CR3: 0000000003222000 CR4: 00000000000006e0 [ 41.852019] Kernel panic - not syncing: Fatal exception in interrupt [ 41.852019] Shutting down cpus with NMI [ 41.852019] Kernel Offset: disabled [ 41.852019] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- =*=*=*=*=*=*=*=*= Bug Fix =*=*=*=*=*=*=*=*= The patch that have been applied to mainline Linux kernel is shown below. https://github.com/torvalds/linux/commit/4071bf121d59944d5cd2238de0642f3d7995a997 =*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*= 2022-05-05: commit 4071bf121d59 accepted to mainline kernel 2022-06-03: CVE-2022-1975 is assigned =*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= Duoming Zhou <duoming () zju edu cn> Best Regards, Duoming Zhou
Current thread:
- CVE-2022-1975: Linux kernel: sleep in atomic context bug when nfc firmware download timeout duoming (Jun 05)