Headline
CVE-2022-4379: oss-sec: CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open
A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial
oss-sec mailing list archives
From: Xingyuan Mo <hdthky0 () gmail com>
Date: Wed, 14 Dec 2022 16:31:25 +0800
Hello,
We found a use-after-free vulnerability in __nfs42_ssc_open() in NFS subsystem of Linux through v6.1 which allows an attacker to trigger remote denial of service.
=*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=
The use-after-free violation is caused by dereferencing a vfsmount which is freed but still remains on the delayed unmount list. The reason the vfsmount is freed is that nfs42_ssc_open returns an error when called in nfsd4_do_async_copy. During my testing, this bug can be triggered by two consecutive inter-server-side copies, if the first one encounters some kind of error.
=*=*=*=*=*=*=*=*= Backtrace =*=*=*=*=*=*=*=*=
[ 150.198088 ] ================================================================== [ 150.199766 ] BUG: KASAN: use-after-free in __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.201108 ] Read of size 8 at addr ffff888008bbc4a8 by task copy thread/375 [ 150.203035 ] [ 150.203392 ] CPU: 4 PID: 375 Comm: copy thread Not tainted 6.1.0-rc8 #20 [ 150.204790 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/04 [ 150.206709 ] Call Trace: [ 150.207271 ] <TASK> [ 150.207740 ] dump_stack_lvl (lib/dump_stack.c:107) [ 150.208562 ] print_report (mm/kasan/report.c:285 mm/kasan/report.c:395) [ 150.209385 ] ? __virt_addr_valid (./include/linux/mmzone.h:1759 ./include/linux/mmzone.h:1855 arch/x86/mm/physaddr.c:65) [ 150.210296 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.211184 ] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) [ 150.211967 ] ? __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.212742 ] __nfs42_ssc_open (fs/nfs/nfs4file.c:332) [ 150.213343 ] ? _raw_read_lock_bh (kernel/locking/spinlock.c:161) [ 150.213935 ] nfsd4_do_async_copy (./include/linux/nfs_ssc.h:47 fs/nfsd/nfs4proc.c:1764) [ 150.214520 ] ? preempt_count_sub (kernel/sched/core.c:5697) [ 150.215133 ] ? __kthread_parkme (kernel/kthread.c:283) [ 150.215769 ] ? nfsd4_read (fs/nfsd/nfs4proc.c:1757) [ 150.216349 ] kthread (kernel/kthread.c:376) [ 150.216873 ] ? kthread_complete_and_exit (kernel/kthread.c:331) [ 150.217630 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.218206 ] </TASK> [ 150.218551 ] [ 150.218803 ] Allocated by task 350: [ 150.219348 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.219938 ] kasan_set_track (mm/kasan/common.c:52) [ 150.220522 ] __kasan_slab_alloc (mm/kasan/common.c:328) [ 150.221148 ] kmem_cache_alloc (./include/linux/kasan.h:201 mm/slab.h:737 mm/slub.c:3398 mm/slub.c:3406 mm/slub.c:3413 mm/slub.c:3422) [ 150.221786 ] alloc_vfsmnt (./include/linux/slab.h:679 fs/namespace.c:198) [ 150.222348 ] vfs_create_mount (fs/namespace.c:1017) [ 150.222919 ] vfs_kern_mount.part.48 (fs/namespace.c:1073) [ 150.223376 ] nfsd4_interssc_connect.isra.24 (fs/nfsd/nfs4proc.c:1443) [ 150.223915 ] nfsd4_copy (fs/nfsd/nfs4proc.c:1499 fs/nfsd/nfs4proc.c:1805) [ 150.224249 ] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2710) [ 150.224647 ] nfsd_dispatch (fs/nfsd/nfssvc.c:1056) [ 150.225000 ] svc_process_common (net/sunrpc/svc.c:1339) [ 150.225403 ] svc_process (net/sunrpc/svc.c:1463) [ 150.225735 ] nfsd (fs/nfsd/nfssvc.c:979) [ 150.226022 ] kthread (kernel/kthread.c:376) [ 150.226330 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.226662 ] [ 150.226810 ] Freed by task 0: [ 150.227072 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.227417 ] kasan_set_track (mm/kasan/common.c:52) [ 150.227765 ] kasan_save_free_info (mm/kasan/generic.c:513) [ 150.228134 ] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) [ 150.228497 ] kmem_cache_free (mm/slub.c:1750 mm/slub.c:3661 mm/slub.c:3683) [ 150.228842 ] rcu_core (./arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2257 kernel/rcu/tree.c:2510) [ 150.229144 ] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 150.229483 ] [ 150.229636 ] Last potentially related work creation: [ 150.230102 ] kasan_save_stack (mm/kasan/common.c:46) [ 150.230470 ] __kasan_record_aux_stack (mm/kasan/generic.c:481) [ 150.230901 ] call_rcu (./arch/x86/include/asm/irqflags.h:29 (discriminator 3) ./arch/x86/include/asm/irqflags.h:70 (discriminator 3) ./arch/x86/include/asm/irqflags.h:106 (discriminator 3) kernel/rcu/tree.c:2799 (discriminator 3)) [ 150.231214 ] mntput_no_expire (fs/namespace.c:1272) [ 150.231586 ] nfsd4_do_async_copy (./include/linux/slab.h:553 ./include/linux/slab.h:689 fs/nfsd/nfs4proc.c:1734 fs/nfsd/nfs4proc.c:1787) [ 150.231980 ] kthread (kernel/kthread.c:376) [ 150.232295 ] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 150.232637 ] [ 150.232792 ] The buggy address belongs to the object at ffff888008bbc480 [ 150.232792 ] which belongs to the cache mnt_cache of size 320 [ 150.233849 ] The buggy address is located 40 bytes inside of [ 150.233849 ] 320-byte region [ffff888008bbc480, ffff888008bbc5c0) [ 150.234828 ] [ 150.234970 ] The buggy address belongs to the physical page: [ 150.235442 ] page:00000000711edc3f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfnc [ 150.236154 ] head:00000000711edc3f order:1 compound_mapcount:0 compound_pincount:0 [ 150.236724 ] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 150.237193 ] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888004946dc0 [ 150.237784 ] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 [ 150.238367 ] page dumped because: kasan: bad access detected [ 150.238804 ] [ 150.238934 ] Memory state around the buggy address: [ 150.239304 ] ffff888008bbc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.239868 ] ffff888008bbc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 150.240420 ] >ffff888008bbc480: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.240967 ] ^ [ 150.241333 ] ffff888008bbc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.241885 ] ffff888008bbc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 150.242431 ] ==================================================================
=*=*=*=*=*=*=*=*= Patch =*=*=*=*=*=*=*=*=
The patch has been done by Dai Ngo, and it can be found here: https://lore.kernel.org/all/1670885411-10060-1-git-send-email-dai.ngo () oracle com/
=*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*=
Xingyuan Mo and Gengjia Chen of IceSword Lab, Qihoo 360 Technology Co. Ltd.
Best Regards, Xingyuan Mo
Current thread:
- CVE-2022-4379: Linux kernel: use-after-free in __nfs42_ssc_open Xingyuan Mo (Dec 14)
Related news
An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges. * CVE-2022-4378: A stack ove...
Ubuntu Security Notice 5950-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Red Hat Security Advisory 2023-1202-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-1203-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges. * CVE-2022-4269: A flaw was found ...
An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges. * CVE-2022-4269: A flaw was fou...
Ubuntu Security Notice 5941-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5938-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5935-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5929-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5913-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Lee Jones discovered that a use-after-free vulnerability existed in the Bluetooth implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5911-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5912-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5915-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Davide Ornaghi discovered that the netfilter subsystem in the Linux kernel did not properly handle VLAN headers in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5914-1 - It was discovered that the Upper Level Protocol subsystem in the Linux kernel did not properly handle sockets entering the LISTEN state in certain protocols, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.
Red Hat Security Advisory 2023-1008-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.
An update for kpatch-patch is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges. * CVE-2022-4378: A stack overflow flaw was found in th...
An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2873: An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP blue...
An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2873: An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetoo...