Headline
CVE-2022-1204: security - CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching
A use-after-free flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Apr 2022 14:53:10 +0800 (GMT+08:00) From: 周多明 <duoming@…edu.cn> To: oss-security@…ts.openwall.com Subject: CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching
Hello there,
There are use-after-free vulnerabilities in net/ax25/af_ax25.c of linux that allow attacker to crash linux kernel by simulating ax25 device from user space.
=*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=
The resources such as ax25_dev and net_device will be freed in ax25_dev_device_down(), if we call ax25_bind() between ax25_kill_by_device() and kfree() in ax25_dev_device_down(), we could use ax25_dev in functions such as ax25_bind() ax25_release(), ax25_connect(), ax25_ioctl(), ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and ax25_info_show() after ax25_dev has been deallocated, and use net_device in functions such as ax25_release(), ax25_sendmsg(), ax25_getsockopt(), ax25_getname() and ax25_info_show() after net_device has been deallocated.
One of the concurrency UAF related with ax25_dev in ax25_bind() can be shown as below:
(USE) | (FREE)
| ax25\_device\_event
| ax25\_dev\_device\_down
ax25_bind | … … | kfree(ax25_dev) ax25_fillin_cb() | … ax25_fillin_cb_from_dev() | … |
One of the concurrency UAF related with net_device in ax25_release() can be shown as below:
(USE) | (FREE)
| ax25\_kill\_by\_device()
ax25\_bind() |
ax25\_connect() | ...
| ax25\_dev\_device\_down()
| ...
| dev\_put\_track(dev, ...) //FREE
ax25\_release() | ...
ax25\_send\_control() |
alloc\_skb() //USE |
=*=*=*=*=*=*=*=*= Bug Effects =*=*=*=*=*=*=*=*=
We can successfully trigger the vulnerabilities to crash the linux kernel.
(1) One of the use-after-free bug backtraces related with ax25_dev is shown below.
[ 208.136725] BUG: KASAN: use-after-free in ax25_send_control+0x3c/0x210 [ 208.136725] Read of size 8 at addr ffff888007c4ad08 by task ax25_co_rel/3072 [ 208.136725] Call Trace: [ 208.136725] dump_stack+0x7d/0xa3 [ 208.136725] print_address_description.constprop.0+0x18/0x130 [ 208.136725] ? ax25_send_control+0x3c/0x210 [ 208.136725] ? ax25_send_control+0x3c/0x210 [ 208.136725] kasan_report.cold+0x7f/0x10e [ 208.136725] ? _raw_write_lock_bh+0x80/0xd0 [ 208.136725] ? ax25_send_control+0x3c/0x210 [ 208.136725] ax25_send_control+0x3c/0x210 [ 208.136725] ax25_release+0x2db/0x3b0 [ 208.136725] __sock_release+0x6d/0x120 [ 208.136725] sock_close+0xc/0x10 [ 208.136725] __fput+0x104/0x3b0 [ 208.136725] task_work_run+0x8f/0xd0 [ 208.136725] get_signal+0xbae/0xc00 [ 208.136725] ? ax25_connect+0x3c1/0x800 [ 208.136725] arch_do_signal_or_restart+0x1d9/0xc70 [ 208.136725] ? wait_woken+0x110/0x110 [ 208.136725] ? selinux_netlbl_socket_connect+0x26/0x30 [ 208.136725] ? kick_process+0x12/0x80 [ 208.136725] ? task_work_add+0xcd/0xe0 [ 208.136725] ? restore_sigcontext+0x320/0x320 [ 208.136725] ? __sys_connect+0x108/0x120 [ 208.136725] ? __sys_connect_file+0xc0/0xc0 [ 208.136725] ? common_nsleep+0x5a/0x70 [ 208.136725] ? copy_init_fpstate_to_fpregs+0x60/0x60 [ 208.136725] ? __ia32_sys_clock_adjtime+0x30/0x30 [ 208.136725] exit_to_user_mode_prepare+0xaa/0x120 [ 208.136725] syscall_exit_to_user_mode+0x1d/0x40 [ 208.136725] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 208.136725] RIP: 0033:0x7fa754c17d2b [ 208.136725] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 31 fb ff ff 8b 44 [ 208.136725] RSP: 002b:00007fa5dfd26ee0 EFLAGS: 00000293 ORIG_RAX: 000000000000002a [ 208.136725] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fa754c17d2b [ 208.136725] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005 [ 208.136725] RBP: 00007fa5dfd26f00 R08: 0000000000000000 R09: 00007fa5dfd27700 [ 208.136725] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffc91618f7e [ 208.136725] R13: 00007ffc91618f7f R14: 00007fa5dfd26fc0 R15: 00007fa5dfd27700 [ 208.136725] [ 208.136725] Allocated by task 3070: [ 208.136725] kasan_save_stack+0x1b/0x40 [ 208.136725] ____kasan_kmalloc.constprop.0+0x84/0xa0 [ 208.136725] ax25_dev_device_up+0x27/0x1a0 [ 208.136725] ax25_device_event+0x12d/0x160 [ 208.136725] raw_notifier_call_chain+0x5e/0x70 [ 208.136725] __dev_notify_flags+0xbf/0x180 [ 208.136725] dev_change_flags+0x92/0xb0 [ 208.136725] devinet_ioctl+0x92f/0xbd0 [ 208.136725] inet_ioctl+0x259/0x290 [ 208.136725] sock_do_ioctl+0xa8/0x1e0 [ 208.136725] sock_ioctl+0x2ee/0x3f0 [ 208.136725] __x64_sys_ioctl+0xb4/0xf0 [ 208.136725] do_syscall_64+0x33/0x40 [ 208.136725] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 208.136725] [ 208.136725] Freed by task 3071: [ 208.136725] kasan_save_stack+0x1b/0x40 [ 208.136725] kasan_set_track+0x1c/0x30 [ 208.136725] kasan_set_free_info+0x20/0x30 [ 208.136725] ____kasan_slab_free+0xec/0x120 [ 208.136725] kfree+0x8f/0x210 [ 208.136725] ax25_device_event+0x14e/0x160 [ 208.136725] raw_notifier_call_chain+0x5e/0x70 [ 208.136725] dev_close_many+0x17d/0x230 [ 208.136725] rollback_registered_many+0x1f1/0x950 [ 208.136725] unregister_netdevice_queue+0x133/0x200 [ 208.136725] unregister_netdev+0x13/0x20 [ 208.136725] mkiss_close+0xc4/0x120 [ 208.136725] tty_ldisc_hangup+0x1ab/0x2d0 [ 208.136725] __tty_hangup.part.0+0x306/0x510 [ 208.136725] tty_release+0x200/0x670 [ 208.136725] __fput+0x104/0x3b0 [ 208.136725] task_work_run+0x8f/0xd0 [ 208.136725] exit_to_user_mode_prepare+0x114/0x120 [ 208.136725] syscall_exit_to_user_mode+0x1d/0x40 [ 208.136725] entry_SYSCALL_64_after_hwframe+0x44/0xa9
(2) One of the use-after-free bug backtraces related with net_device is shown below.
[ 769.959339] BUG: KASAN: use-after-free in ax25_send_control+0x43/0x210 [ 769.959339] Read of size 2 at addr ffff8880092520de by task ax25_co_rel/1970 [ 769.966904] Call Trace: [ 769.966904] <TASK> [ 769.966904] dump_stack_lvl+0x57/0x7d [ 769.966904] print_address_description.constprop.0+0x1f/0x150 [ 769.966904] ? ax25_send_control+0x43/0x210 [ 769.966904] ? ax25_send_control+0x43/0x210 [ 769.966904] kasan_report.cold+0x7f/0x11b [ 769.966904] ? ax25_send_control+0x43/0x210 [ 769.966904] ax25_send_control+0x43/0x210 [ 769.966904] ? trace_hardirqs_on+0x1c/0x110 [ 769.966904] ax25_release+0x2db/0x3b0 [ 769.966904] ? lock_release+0xb2/0x470 [ 769.966904] __sock_release+0x6d/0x120 [ 769.966904] sock_close+0xf/0x20 [ 769.966904] __fput+0x11f/0x420 [ 769.966904] task_work_run+0x86/0xd0 [ 769.966904] get_signal+0x1096/0x1240 [ 769.966904] ? lockdep_hardirqs_on_prepare+0xe/0x230 [ 769.966904] ? __local_bh_enable_ip+0x7e/0xf0 [ 769.966904] ? trace_hardirqs_on+0x1c/0x110 [ 769.966904] ? ax25_connect+0x3c1/0x800 [ 769.966904] ? signal_setup_done+0x2a0/0x2a0 [ 769.966904] arch_do_signal_or_restart+0x1df/0xbf0 [ 770.012784] exit_to_user_mode_prepare+0x143/0x1c0 [ 770.012784] syscall_exit_to_user_mode+0x19/0x50 [ 770.012784] do_syscall_64+0x48/0x90 [ 770.012784] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 770.012784] RIP: 0033:0x7fba03510d2b [ 770.012784] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 fb fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 [ 770.016580] RSP: 002b:00007fb9a9f5aee0 EFLAGS: 00000293 ORIG_RAX: 000000000000002a [ 770.016580] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007fba03510d2b [ 770.021380] RDX: 0000000000000010 RSI: 00000000006021c0 RDI: 0000000000000005 [ 770.021380] RBP: 00007fb9a9f5af00 R08: 0000000000000000 R09: 00007fb9a9f5b700 [ 770.021380] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffeb426b5ce [ 770.021380] R13: 00007ffeb426b5cf R14: 00007fb9a9f5afc0 R15: 00007fb9a9f5b700 [ 770.021380] </TASK> [ 770.021380] [ 770.021380] Allocated by task 1283: [ 770.025691] kasan_save_stack+0x1e/0x40 [ 770.025691] __kasan_kmalloc+0x81/0xa0 [ 770.025691] alloc_netdev_mqs+0x5a/0x680 [ 770.025691] mkiss_open+0x6c/0x380 [ 770.025691] tty_ldisc_open+0x55/0x90 [ 770.029456] tty_set_ldisc+0x193/0x2e0 [ 770.029456] tty_ioctl+0x4ae/0xc70 [ 770.029456] __x64_sys_ioctl+0xb4/0xf0 [ 770.029456] do_syscall_64+0x3b/0x90 [ 770.029456] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 770.029456] [ 770.033625] Freed by task 1969: [ 770.033625] kasan_save_stack+0x1e/0x40 [ 770.033625] kasan_set_track+0x21/0x30 [ 770.033625] kasan_set_free_info+0x20/0x30 [ 770.033625] __kasan_slab_free+0xfa/0x130 [ 770.033625] kfree+0xa3/0x2c0 [ 770.033625] device_release+0x54/0xe0 [ 770.037210] kobject_put+0xa5/0x120 [ 770.037210] tty_ldisc_kill+0x3e/0x80 [ 770.037210] tty_ldisc_hangup+0x1b2/0x2c0 [ 770.037210] __tty_hangup.part.0+0x316/0x520 [ 770.037210] tty_release+0x200/0x670 [ 770.037210] __fput+0x11f/0x420 [ 770.037210] task_work_run+0x86/0xd0 [ 770.037210] exit_to_user_mode_prepare+0x1b2/0x1c0 [ 770.037210] syscall_exit_to_user_mode+0x19/0x50 [ 770.041472] do_syscall_64+0x48/0x90 [ 770.041472] entry_SYSCALL_64_after_hwframe+0x44/0xae
=*=*=*=*=*=*=*=*= Bug Reproduce =*=*=*=*=*=*=*=*=
We could use pseudoterminal-based device emulation to simulate ax25 device from user space and create a socket for it. Then, we create four threads: the first thread is used to initialize and start ax25 device, the second thread is used to close the pseudoterminal-based device, the third thread is used to execute bind and connect syscalls, the last thread is used to close the socket. Let these four threads to interleave, we could reproduce the bug.
=*=*=*=*=*=*=*=*= Bug Fix =*=*=*=*=*=*=*=*=
The patch that have been applied to mainline Linux kernel is shown below. https://github.com/torvalds/linux/commit/d01ffb9eee4af165d83b08dd73ebdf9fe94a519b https://github.com/torvalds/linux/commit/87563a043cef044fed5db7967a75741cc16ad2b1 https://github.com/torvalds/linux/commit/feef318c855a361a1eccd880f33e88c460eb63b4 https://github.com/torvalds/linux/commit/9fd75b66b8f68498454d685dc4ba13192ae069b0 https://github.com/torvalds/linux/commit/5352a761308397a0e6250fdc629bb3f615b94747
=*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*=
2022-01-28: commit d01ffb9eee4a accepted to mainline kernel 2022-02-04: commit 87563a043cef accepted to mainline kernel 2022-01-28: commit feef318c855a accepted to mainline kernel 2022-03-21: commit 9fd75b66b8f6 accepted to mainline kernel 2022-03-29: commit 5352a7613083 accepted to mainline kernel 2022-04-02: CVE-2022-1204 is assigned
=*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*= Duoming Zhou <duoming@…edu.cn>
Best Regards, Duoming Zhou
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Ubuntu Security Notice 5650-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5541-1 - Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. Jann Horn discovered that the FUSE file system in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5539-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5515-1 - Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. Jann Horn discovered that the FUSE file system in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5514-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5469-1 - It was discovered that the Linux kernel did not properly restrict access to the kernel debugger when booted in secure boot environments. A privileged attacker could use this to bypass UEFI Secure Boot restrictions. Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.