Headline
CVE-2022-2978: fix UAF/GPF bug in nilfs_mdt_destroy
A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
* [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy @ 2022-08-16 4:08 Dongliang Mu 2022-08-16 10:46 ` Christian Brauner 2022-08-25 19:45 ` Eric Sandeen 0 siblings, 2 replies; 3+ messages in thread From: Dongliang Mu @ 2022-08-16 4:08 UTC (permalink / raw) To: Alexander Viro Cc: Dongliang Mu, butt3rflyh4ck, Hao Sun, Jiacheng Xu, stable, linux-fsdevel, linux-kernel
From: Dongliang Mu [email protected]
In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck [email protected] Reported-by: Hao Sun [email protected] Reported-by: Jiacheng Xu [email protected] Signed-off-by: Dongliang Mu [email protected] Cc: Al Viro [email protected] Cc: [email protected]
v1->v2: move security_inode_alloc at the very end according to Al Viro other than initializing i_private before security_inode_alloc. fs/inode.c | 5 ++±- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/inode.c b/fs/inode.c index 6462276dfdf0…49d1eb91728c 100644 — a/fs/inode.c +++ b/fs/inode.c @@ -192,8 +192,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_wb_frn_history = 0; #endif
- if (security_inode_alloc(inode))
spin_lock_init(&inode->i_lock); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);goto out;
@@ -228,6 +226,9 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_fsnotify_mask = 0; #endif inode->i_flctx = NULL;
if (security_inode_alloc(inode))
goto out;this_cpu_inc(nr_inodes);
return 0; – 2.35.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy 2022-08-16 4:08 [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy Dongliang Mu @ 2022-08-16 10:46 ` Christian Brauner 2022-08-25 19:45 ` Eric Sandeen 1 sibling, 0 replies; 3+ messages in thread From: Christian Brauner @ 2022-08-16 10:46 UTC (permalink / raw) To: Dongliang Mu Cc: Alexander Viro, Dongliang Mu, butt3rflyh4ck, Hao Sun, Jiacheng Xu, stable, linux-fsdevel, linux-kernel
On Tue, Aug 16, 2022 at 12:08:58PM +0800, Dongliang Mu wrote: > From: Dongliang Mu [email protected]
In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck [email protected] Reported-by: Hao Sun [email protected] Reported-by: Jiacheng Xu [email protected] Signed-off-by: Dongliang Mu [email protected] Cc: Al Viro [email protected] Cc: [email protected]
Looks good to me, Reviewed-by: Christian Brauner (Microsoft) [email protected]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy 2022-08-16 4:08 [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy Dongliang Mu 2022-08-16 10:46 ` Christian Brauner @ 2022-08-25 19:45 ` Eric Sandeen 1 sibling, 0 replies; 3+ messages in thread From: Eric Sandeen @ 2022-08-25 19:45 UTC (permalink / raw) To: Dongliang Mu, Alexander Viro Cc: Dongliang Mu, butt3rflyh4ck, Hao Sun, Jiacheng Xu, stable, linux-fsdevel, linux-kernel
On 8/15/22 11:08 PM, Dongliang Mu wrote: > From: Dongliang Mu [email protected]
In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck [email protected] Reported-by: Hao Sun [email protected] Reported-by: Jiacheng Xu [email protected] Signed-off-by: Dongliang Mu [email protected] Cc: Al Viro [email protected] Cc: [email protected]
v1->v2: move security_inode_alloc at the very end according to Al Viro other than initializing i_private before security_inode_alloc. fs/inode.c | 5 ++±- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/inode.c b/fs/inode.c index 6462276dfdf0…49d1eb91728c 100644 — a/fs/inode.c +++ b/fs/inode.c @@ -192,8 +192,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_wb_frn_history = 0; #endif
- if (security_inode_alloc(inode))
goto out;@@ -228,6 +226,9 @@ int inode_init_always(struct super_block *sb, struct inode *inode) inode->i_fsnotify_mask = 0; #endif inode->i_flctx = NULL;
- if (security_inode_alloc(inode))
goto out;
Seems like the out: label could be removed, and simply return -ENOMEM directly here, but that’s just a nitpick.
-Eric
> this_cpu_inc(nr_inodes);
return 0; ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-25 19:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2022-08-16 4:08 [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy Dongliang Mu 2022-08-16 10:46 ` Christian Brauner 2022-08-25 19:45 ` Eric Sandeen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 5774-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 5728-3 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5729-2 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of service or expose sensitive information.
Ubuntu Security Notice 5728-2 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5727-2 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. It was discovered that the KVM implementation in the Linux kernel did not properly handle virtual CPUs without APICs in certain situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 5729-1 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of service or expose sensitive information.
Ubuntu Security Notice 5727-1 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. It was discovered that the KVM implementation in the Linux kernel did not properly handle virtual CPUs without APICs in certain situations. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 5728-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5693-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Duoming Zhou discovered that race conditions existed in the timer handling implementation of the Linux kernel's Rose X.25 protocol layer, resulting in use-after-free vulnerabilities. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 5650-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.