Headline
CVE-2022-4382: security - Re: Linux Kernel: usb: A use-after-free Write in put_dev
A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 14 Dec 2022 23:22:38 +0800 From: Gerald Lee <sundaywind2004@…il.com> To: oss-security@…ts.openwall.com Subject: Re: Linux Kernel: usb: A use-after-free Write in put_dev
This was assigned CVE-2022-4382.
=*=*=*=*=*=*=*=*= CREDIT =*=*=*=*=*=*=*=*=
Zhixin Li from Zero-one Security <sundaywind2004@…il.com>
Thanks.
On Tue, Dec 13, 2022 at 2:53 PM Gerald Lee <sundaywind2004@…il.com> wrote:
Hi all,
=*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*=
This use-after-free violation is caused by a race among the superblock operations in the gadgetfs driver. The vulnerability may not be a big deal, because the normal user can’t execute umount. It could be triggered by yanking out a device that is running the gadgetfs side, but I don’t know how to do that.
C repro is attached.
=*=*=*=*=*=*=*=*= BACKTRACE =*=*=*=*=*=*=*=*= BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159 Write of size 4 at addr ffff8880436d2040 by task syz-executor.5/7587
CPU: 1 PID: 7587 Comm: syz-executor.5 Not tainted 6.1.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159 gadgetfs_kill_sb+0x2e/0x60 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0x98/0x160 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0x188/0x1d0 fs/super.c:1207 vfs_get_tree+0x8d/0x2f0 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f8d5129078d Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d52024bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000001af RAX: ffffffffffffffda RBX: 00007f8d513cbf80 RCX: 00007f8d5129078d RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 RBP: 00007f8d512feb02 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd48293eff R14: 00007ffd48294090 R15: 00007f8d52024d80 </TASK>
Allocated by task 7561: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] dev_new drivers/usb/gadget/legacy/inode.c:170 [inline] gadgetfs_fill_super+0x1e4/0x460 drivers/usb/gadget/legacy/inode.c:2041 vfs_get_super fs/super.c:1169 [inline] get_tree_single+0xd6/0x1d0 fs/super.c:1207 vfs_get_tree+0x8d/0x2f0 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Second to last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The buggy address belongs to the object at ffff8880436d2000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 64 bytes inside of 1024-byte region [ffff8880436d2000, ffff8880436d2400)
The buggy address belongs to the physical page: page:ffffea00010db400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x436d0 head:ffffea00010db400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888012041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6599, tgid 6599 (syz-executor.0), ts 29294571719, free_ts 29285126043 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4291 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5558 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x213/0x300 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0xa9b/0x13e0 mm/slub.c:3180 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x199/0x3e0 mm/slub.c:3437 kmalloc_trace+0x26/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] batadv_hardif_add_interface net/batman-adv/hard-interface.c:864 [inline] batadv_hard_if_event+0x8a1/0x1450 net/batman-adv/hard-interface.c:952 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] register_netdevice+0x10bf/0x1670 net/core/dev.c:10090 veth_newlink+0x4d1/0x990 drivers/net/veth.c:1795 rtnl_newlink_create net/core/rtnetlink.c:3364 [inline] __rtnl_newlink+0x1084/0x17e0 net/core/rtnetlink.c:3581 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6091 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] __kmem_cache_alloc_node+0x2e2/0x3e0 mm/slub.c:3437 kmalloc_trace+0x26/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] kset_create lib/kobject.c:937 [inline] kset_create_and_add+0x4f/0x1a0 lib/kobject.c:980 register_queue_kobjects net/core/net-sysfs.c:1766 [inline] netdev_register_kobject+0x1ca/0x400 net/core/net-sysfs.c:2019 register_netdevice+0xd99/0x1670 net/core/dev.c:10057 __ip_tunnel_create+0x398/0x570 net/ipv4/ip_tunnel.c:267 ip_tunnel_init_net+0x2ec/0x9f0 net/ipv4/ip_tunnel.c:1073 ops_init+0xb9/0x680 net/core/net_namespace.c:135 setup_net+0x5d1/0xc50 net/core/net_namespace.c:332 copy_net_ns+0x31c/0x760 net/core/net_namespace.c:478 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
Memory state around the buggy address: ffff8880436d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880436d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880436d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880436d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880436d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
=*=*=*=*=*=*=*=*= PATCH =*=*=*=*=*=*=*=*=
The patch has been done by Alan Stern, and it can be found here: https://lore.kernel.org/linux-usb/[email protected]/
Thanks.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Ubuntu Security Notice 6151-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Ubuntu Security Notice 6032-1 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service. Gerald Lee discovered that the USB Gadget file system implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6031-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Integrity Measurement Architecture implementation in the Linux kernel did not properly enforce policy in certain conditions. A privileged attacker could use this to bypass Kernel lockdown restrictions.
Ubuntu Security Notice 6020-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Ubuntu Security Notice 5985-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Ubuntu Security Notice 5987-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5982-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5980-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Ubuntu Security Notice 5979-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a race condition existed in the Xen network backend driver in the Linux kernel when handling dropped packets in certain circumstances. An attacker could use this to cause a denial of service.
Ubuntu Security Notice 5978-1 - It was discovered that the network queuing discipline implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
Ubuntu Security Notice 5970-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a race condition existed in the Xen network backend driver in the Linux kernel when handling dropped packets in certain circumstances. An attacker could use this to cause a denial of service.