Headline
CVE-2023-3268: fix out-of-bounds access in relay_file_read
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
* [PATCH] relayfs: fix out-of-bounds access in relay_file_read @ 2023-04-19 4:02 zhangzhengming 2023-04-19 21:03 ` Andrew Morton 0 siblings, 1 reply; 4+ messages in thread From: zhangzhengming @ 2023-04-19 4:02 UTC (permalink / raw) To: akpm, surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king Cc: linux-kernel, zhou.kete, Zhang Zhengming
From: Zhang Zhengming [email protected]
There is a crash in relay_file_read, as the var from point to the end of last subbuf. The oops looks something like: pc : __arch_copy_to_user+0x180/0x310 lr : relay_file_read+0x20c/0x2c8 Call trace: __arch_copy_to_user+0x180/0x310 full_proxy_read+0x68/0x98 vfs_read+0xb0/0x1d0 ksys_read+0x6c/0xf0 __arm64_sys_read+0x20/0x28 el0_svc_common.constprop.3+0x84/0x108 do_el0_svc+0x74/0x90 el0_svc+0x1c/0x28 el0_sync_handler+0x88/0xb0 el0_sync+0x148/0x180
We get the condition by analyzing the vmcore:
1). The last produced byte and last consumed byte
both at the end of the last subbuf
2). A softirq who will call function(e.g __blk_add_trace)
to write relay buffer occurs when an program calling
function relay_file_read_avail.
relay_file_read
relay_file_read_avail
relay_file_read_consume(buf, 0, 0);
//interrupted by softirq who will write subbuf
…
return 1;
//read_start point to the end of the last subbuf
read_start = relay_file_read_start_pos
//avail is equal to subsize
avail = relay_file_read_subbuf_avail
//from points to an invalid memory address
from = buf->start + read_start
//system is crashed
copy_to_user(buffer, from, avail)
Signed-off-by: Zhang Zhengming [email protected] Reviewed-by: Zhao Lei <[email protected]> Reviewed-by: Zhou Kete [email protected]
kernel/relay.c | 3 +± 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/relay.c b/kernel/relay.c index 9aa70ae…a80fa01 100644 — a/kernel/relay.c +++ b/kernel/relay.c @@ -989,7 +989,8 @@ static size_t relay_file_read_start_pos(struct rchan_buf *buf) size_t subbuf_size = buf->chan->subbuf_size; size_t n_subbufs = buf->chan->n_subbufs; size_t consumed = buf->subbufs_consumed % n_subbufs; - size_t read_pos = consumed * subbuf_size + buf->bytes_consumed;
size_t read_pos = (consumed * subbuf_size + buf->bytes_consumed)
% (n\_subbufs \* subbuf\_size);
read_subbuf = read_pos / subbuf_size; padding = buf->padding[read_subbuf]; – 2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] relayfs: fix out-of-bounds access in relay_file_read 2023-04-19 4:02 [PATCH] relayfs: fix out-of-bounds access in relay_file_read zhangzhengming @ 2023-04-19 21:03 ` Andrew Morton 2023-04-19 21:07 ` Jens Axboe 2023-04-23 8:28 ` Pengcheng Yang 0 siblings, 2 replies; 4+ messages in thread From: Andrew Morton @ 2023-04-19 21:03 UTC (permalink / raw) To: zhangzhengming Cc: surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king, linux-kernel, zhou.kete, Pengcheng Yang, Jens Axboe
On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming [email protected] wrote:
> From: Zhang Zhengming [email protected]
There is a crash in relay_file_read, as the var from point to the end of last subbuf. The oops looks something like: pc : __arch_copy_to_user+0x180/0x310 lr : relay_file_read+0x20c/0x2c8 Call trace: __arch_copy_to_user+0x180/0x310 full_proxy_read+0x68/0x98 vfs_read+0xb0/0x1d0 ksys_read+0x6c/0xf0 __arm64_sys_read+0x20/0x28 el0_svc_common.constprop.3+0x84/0x108 do_el0_svc+0x74/0x90 el0_svc+0x1c/0x28 el0_sync_handler+0x88/0xb0 el0_sync+0x148/0x180
We get the condition by analyzing the vmcore: 1). The last produced byte and last consumed byte both at the end of the last subbuf 2). A softirq who will call function(e.g __blk_add_trace) to write relay buffer occurs when an program calling function relay_file_read_avail. relay_file_read relay_file_read_avail relay_file_read_consume(buf, 0, 0); //interrupted by softirq who will write subbuf … return 1; //read_start point to the end of the last subbuf read_start = relay_file_read_start_pos //avail is equal to subsize avail = relay_file_read_subbuf_avail //from points to an invalid memory address
from = buf->start + read_start //system is crashed copy_to_user(buffer, from, avail)
Thanks. Hopefully Pengcheng Yang and Jens Axboe can comment.
> — a/kernel/relay.c
+++ b/kernel/relay.c @@ -989,7 +989,8 @@ static size_t relay_file_read_start_pos(struct rchan_buf *buf) size_t subbuf_size = buf->chan->subbuf_size; size_t n_subbufs = buf->chan->n_subbufs; size_t consumed = buf->subbufs_consumed % n_subbufs;
- size_t read_pos = consumed * subbuf_size + buf->bytes_consumed;
size_t read_pos = (consumed * subbuf_size + buf->bytes_consumed)
% (n\_subbufs \* subbuf\_size);
read_subbuf = read_pos / subbuf_size; padding = buf->padding[read_subbuf]; I’m thinking we should backport this into earlier kernels and that the commit we’re fixing is
Fixes: 341a7213e5c1 (“kernel/relay.c: fix read_pos error when multiple readers”)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] relayfs: fix out-of-bounds access in relay_file_read 2023-04-19 21:03 ` Andrew Morton @ 2023-04-19 21:07 ` Jens Axboe 2023-04-23 8:28 ` Pengcheng Yang 1 sibling, 0 replies; 4+ messages in thread From: Jens Axboe @ 2023-04-19 21:07 UTC (permalink / raw) To: Andrew Morton, zhangzhengming Cc: surenb, wuchi.zero, Ilia.Gavrilov, xu.panda, colin.i.king, linux-kernel, zhou.kete, Pengcheng Yang
On 4/19/23 3:03?PM, Andrew Morton wrote: > On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming [email protected] wrote:
From: Zhang Zhengming [email protected]
There is a crash in relay_file_read, as the var from point to the end of last subbuf. The oops looks something like: pc : __arch_copy_to_user+0x180/0x310 lr : relay_file_read+0x20c/0x2c8 Call trace: __arch_copy_to_user+0x180/0x310 full_proxy_read+0x68/0x98 vfs_read+0xb0/0x1d0 ksys_read+0x6c/0xf0 __arm64_sys_read+0x20/0x28 el0_svc_common.constprop.3+0x84/0x108 do_el0_svc+0x74/0x90 el0_svc+0x1c/0x28 el0_sync_handler+0x88/0xb0 el0_sync+0x148/0x180
We get the condition by analyzing the vmcore: 1). The last produced byte and last consumed byte both at the end of the last subbuf 2). A softirq who will call function(e.g __blk_add_trace) to write relay buffer occurs when an program calling function relay_file_read_avail. relay_file_read relay_file_read_avail relay_file_read_consume(buf, 0, 0); //interrupted by softirq who will write subbuf … return 1; //read_start point to the end of the last subbuf read_start = relay_file_read_start_pos //avail is equal to subsize avail = relay_file_read_subbuf_avail //from points to an invalid memory address
from = buf->start + read_start //system is crashed copy_to_user(buffer, from, avail)Thanks. Hopefully Pengcheng Yang and Jens Axboe can comment. Patch looks good to me, but that doesn’t necessarily say much. I never did much relayfs hacking, and the bits I did was probably almost 20 years ago at this point when I wrote blktrace…
– Jens Axboe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] relayfs: fix out-of-bounds access in relay_file_read 2023-04-19 21:03 ` Andrew Morton 2023-04-19 21:07 ` Jens Axboe @ 2023-04-23 8:28 ` Pengcheng Yang 1 sibling, 0 replies; 4+ messages in thread From: Pengcheng Yang @ 2023-04-23 8:28 UTC (permalink / raw) To: akpm Cc: Ilia.Gavrilov, axboe, colin.i.king, linux-kernel, surenb, wuchi.zero, xu.panda, yangpc, zhang.zhengming, zhou.kete, dwilder
On April 20, 2023 5:04 AM, Andrew Morton wrote: > On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming [email protected] wrote:
From: Zhang Zhengming [email protected]
There is a crash in relay_file_read, as the var from point to the end of last subbuf. The oops looks something like: pc : __arch_copy_to_user+0x180/0x310 lr : relay_file_read+0x20c/0x2c8 Call trace: __arch_copy_to_user+0x180/0x310 full_proxy_read+0x68/0x98 vfs_read+0xb0/0x1d0 ksys_read+0x6c/0xf0 __arm64_sys_read+0x20/0x28 el0_svc_common.constprop.3+0x84/0x108 do_el0_svc+0x74/0x90 el0_svc+0x1c/0x28 el0_sync_handler+0x88/0xb0 el0_sync+0x148/0x180
We get the condition by analyzing the vmcore: 1). The last produced byte and last consumed byte both at the end of the last subbuf 2). A softirq who will call function(e.g __blk_add_trace) to write relay buffer occurs when an program calling function relay_file_read_avail. relay_file_read relay_file_read_avail relay_file_read_consume(buf, 0, 0); //interrupted by softirq who will write subbuf … return 1; //read_start point to the end of the last subbuf read_start = relay_file_read_start_pos //avail is equal to subsize avail = relay_file_read_subbuf_avail //from points to an invalid memory address
from = buf->start + read_start //system is crashed copy_to_user(buffer, from, avail)Thanks. Hopefully Pengcheng Yang and Jens Axboe can comment. This patch looks good to me.
Reviewed-by: Pengcheng Yang [email protected]
>
I’m thinking we should backport this into earlier kernels and that the commit we’re fixing is
Fixes: 341a7213e5c1 (“kernel/relay.c: fix read_pos error when multiple readers”) I suggest starting backport with this tag:
Fixes: 8d62fdebdaf9 (“relay file read: start-pos fix”)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-04-23 8:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2023-04-19 4:02 [PATCH] relayfs: fix out-of-bounds access in relay_file_read zhangzhengming 2023-04-19 21:03 ` Andrew Morton 2023-04-19 21:07 ` Jens Axboe 2023-04-23 8:28 ` Pengcheng Yang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Red Hat Security Advisory 2024-1250-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include memory exhaustion, null pointer, out of bounds access, out of bounds write, privilege escalation, and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-7077-01 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, denial of service, double free, information leakage, memory leak, null pointer, out of bounds access, out of bounds write, and use-after-free vulnerabilities.
Ubuntu Security Notice 6397-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6357-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6340-2 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6349-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6347-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6340-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6332-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6311-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Debian Linux Security Advisory 5480-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
Ubuntu Security Notice 6300-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6254-1 - Jordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the do_prlimit function in the Linux kernel did not properly handle speculative execution barriers. A local attacker could use this to expose sensitive information. It was discovered that a race condition existed in the btrfs file system implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly expose sensitive information.
Debian Linux Security Advisory 5448-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.