oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version

From: Minh Yuan <yuanmingbuaa () gmail com>
Date: Tue, 10 May 2022 14:59:15 +0800
Hi everyone,

My fuzzer discovered another concurrency uaf between reset_interrupt and
floppy_end_request in the latest kernel version (5.17.5 for now).

The root cause is that after deallocating current_req in floppy_end_request,
reset_interrupt still holds the freed current_req->error_count and accesses
it concurrently.

Here is the KASAN report:

BUG: KASAN: use-after-free in bad_flp_intr+0x332/0x460

Call Trace:
 __dump_stack
 dump_stack+0x1e9/0x30e
 print_address_description+0x6a/0x310
 kasan_report_error
 kasan_report+0x1bf/0x290
 bad_flp_intr+0x332/0x460
 reset_interrupt+0x16e/0x1b0
 process_one_work+0xc61/0x1530
 worker_thread+0xa7f/0x1440
 kthread+0x346/0x370
 ret_from_fork+0x24/0x30

Allocated by task 12590:
 kmem_cache_alloc_node+0x200/0x390
 alloc_request_simple+0x42/0x70
 mempool_alloc+0x166/0x6b0
 __get_request+0x92c/0x1c50
 get_request+0x756/0x10e0
 blk_queue_bio+0x523/0x12d0
audit: type=1804 audit(1651287706.088:1517): pid=13750 uid=0 auid=0 ses=6
subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2"
name=2F73797A6B616C6C65722D746573746469723539363038303737352F73797A6B616C6C65722E6C56656931332F313737362F48C7C060
dev="sda" ino=136083 res=1
 generic_make_request+0x561/0xe20
 submit_bio+0x259/0x560
audit: type=1800 audit(1651287706.088:1518): pid=13752 uid=0 auid=0 ses=6
subj==unconfined op=collect_data cause=failed(directio)
comm="syz-executor.2" name=48C7C060 dev="sda" ino=136083 res=0
 __floppy_read_block_0
 floppy_revalidate+0xa70/0xd90
 check_disk_change+0x11e/0x1a0
 floppy_open+0x54d/0x890
 __blkdev_get+0x3ce/0x1ab0
 blkdev_get+0x986/0xb20
 do_dentry_open+0x91d/0x10a0
 do_last
 path_openat+0x298d/0x6de0
 do_filp_open+0x24a/0x4c0
 do_sys_open+0x361/0x5d0
 do_syscall_64+0x111/0x710
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2856:
 __cache_free
 kmem_cache_free+0xc8/0x260
 blk_free_request
 __blk_put_request+0x4d8/0xcd0
 __blk_end_bidi_request+0x1d4/0x260
 floppy_end_request
 request_done+0x701/0x950
 floppy_shutdown+0x14a/0x2b0
 process_one_work+0xc61/0x1530
 worker_thread+0xa7f/0x1440
 kthread+0x346/0x370
 ret_from_fork+0x24/0x30



Timeline:
* 04.30.22 - Vulnerability reported to security () kernel org.
* 05.01.22 - Vulnerability reported to linux-distros () vs openwall org.
* 05.10.22 - Vulnerability opened.
Previous By Date Next
Previous By Thread Next

Current thread: