Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1199: security - CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()

A flaw was found in the Linux kernel. This flaw allows an attacker to crash the Linux kernel by simulating amateur radio from the user space, resulting in a null-ptr-deref vulnerability and a use-after-free vulnerability.

CVE
#vulnerability#web#mac#windows#linux#git#php#auth
  • Products
    • Openwall GNU/*/Linux server OS
    • Linux Kernel Runtime Guard
    • John the Ripper password cracker
      • Free & Open Source for any platform
      • in the cloud
      • Pro for Linux
      • Pro for macOS
    • Wordlists for password cracking
    • passwdqc policy enforcement
      • Free & Open Source for Unix
      • Pro for Windows (Active Directory)
    • yescrypt KDF & password hashing
    • yespower Proof-of-Work (PoW)
    • crypt_blowfish password hashing
    • phpass ditto in PHP
    • tcb better password shadowing
    • Pluggable Authentication Modules
    • scanlogd port scan detector
    • popa3d tiny POP3 daemon
    • blists web interface to mailing lists
    • msulogin single user mode login
    • php_mt_seed mt_rand() cracker
  • Services
  • Publications
    • Articles
    • Presentations
  • Resources
    • Mailing lists
    • Community wiki
    • Source code repositories (GitHub)
    • Source code repositories (CVSweb)
    • File archive & mirrors
    • How to verify digital signatures
    • OVE IDs
  • What’s new

[<prev] [next>] [day] [month] [year] [list]

Date: Sat, 2 Apr 2022 16:45:07 +0800 (GMT+08:00) From: 周多明 <duoming@…edu.cn> To: oss-security@…ts.openwall.com Subject: CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()

Hello there,

There are null-ptr-deref vulnerability and use-after-free vulnerabilities in net/ax25/af_ax25.c of linux that allow attacker to crash linux kernel by simulating ax25 device from user-space.

=*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=

The null-ptr-deref vulnerability is caused by “ax25->sk = NULL” in ax25_release(). The dereference sites include "bh_lock_sock(ax25->sk)" and "bh_unlock_sock(ax25->sk)" in ax25_disconnect(), "lock_sock(s->sk)" and "release_sock(s->sk)" in ax25_kill_by_device().

The NPD bug related with bh_lock_sock(ax25->sk) is shown below:

ax25_kill_by_device() | ax25_release() ax25_disconnect() | ax25_destroy_socket() … | if(ax25->sk != NULL) | … … | ax25->sk = NULL; bh_lock_sock(ax25->sk); //(1) | … … | bh_unlock_sock(ax25->sk); //(2)|

The NPD bug related with lock_sock(s->sk) is shown below:

ax25_kill_by_device() | ax25_release() | ax25_destroy_socket() | ax25_cb_del() … | … | ax25->sk=NULL; lock_sock(s->sk); //(1) | s->ax25_dev = NULL; | … release_sock(s->sk); //(2) | … |

The use-after-free vulnerability is caused by "sock_put(sk)" in ax25_release(). The dereference sites include "lock_sock(s->sk)" and "release_sock(s->sk)" in ax25_kill_by_device().

ax25_kill_by_device() | ax25_release() | ax25_destroy_socket() … | … | sock_put(sk); //FREE lock_sock(s->sk); //(1) | s->ax25_dev = NULL; | … release_sock(s->sk); //(2) | … |

=*=*=*=*=*=*=*=*= Bug Effects =*=*=*=*=*=*=*=*=

We can successfully trigger the vulnerabilities to crash the linux kernel.

The NPD bug related with bh_lock_sock() is shown below.

[ 178.776298] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 178.777929] RIP: 0010:_raw_spin_lock+0x7e/0xd0 [ 178.777929] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 2a 29 e8 fe be 04 00 00 00 48 8d 7c 24 20 e8 1b 29 e8 fe ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00 [ 178.777929] RSP: 0018:ffff888007dcfa48 EFLAGS: 00000297 [ 178.777929] RAX: 0000000000000000 RBX: 1ffff11000fb9f49 RCX: ffffffff82482855 [ 178.777929] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888007dcfa68 [ 178.777929] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003 [ 178.777929] R10: ffffed1000fb9f4d R11: 0000000000000001 R12: 0000000000000065 [ 178.777929] R13: ffff888009f99800 R14: ffff888009f99860 R15: ffff888009f99800 [ 178.777929] FS: 00007f9651ce3700(0000) GS:ffff88806d480000(0000) knlGS:0000000000000000 [ 178.777929] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 178.777929] CR2: 0000000000000088 CR3: 0000000009876000 CR4: 00000000000006e0 [ 178.777929] Call Trace: [ 178.777929] ? _raw_read_lock_irq+0x30/0x30 [ 178.777929] ? _raw_spin_unlock_bh+0x9/0x20 [ 178.777929] ? ax25_link_failed+0x40/0x60 [ 178.777929] ax25_disconnect+0xf6/0x220 [ 178.777929] ax25_device_event+0x187/0x250 [ 178.777929] raw_notifier_call_chain+0x5e/0x70 [ 178.777929] dev_close_many+0x17d/0x230 [ 178.777929] ? __dev_close_many+0x1c0/0x1c0 [ 178.777929] rollback_registered_many+0x1f1/0x950 [ 178.777929] ? _raw_write_lock_irqsave+0xd0/0xd0 [ 178.777929] ? dev_alloc_name+0xd0/0xd0 [ 178.777929] ? ldsem_down_read+0x410/0x410 [ 178.777929] unregister_netdevice_queue+0x133/0x200 [ 178.777929] ? unregister_netdevice_many+0x20/0x20 [ 178.777929] ? sixpack_close+0xf8/0x130 [ 178.777929] unregister_netdev+0x13/0x20 [ 178.777929] tty_ldisc_hangup+0x1ab/0x2d0 [ 178.777929] __tty_hangup.part.0+0x306/0x510 [ 178.777929] tty_release+0x200/0x670 [ 178.777929] __fput+0x104/0x3b0 [ 178.777929] task_work_run+0x8f/0xd0 [ 178.777929] exit_to_user_mode_prepare+0x114/0x120 [ 178.777929] syscall_exit_to_user_mode+0x1d/0x40 [ 178.777929] entry_SYSCALL_64_after_hwframe+0x44/0xa9

The NPD bug related with lock_sock() is shown below.

[ 727.493561] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 727.493561] RIP: 0010:_raw_spin_lock_bh+0x89/0xd0 [ 727.493561] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 5f c6 f1 fd be 04 00 00 00 48 8d 7c 24 20 e8 50 c6 f1 fd ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00 [ 727.493561] RSP: 0018:ffff88801569f9c0 EFLAGS: 00000297 [ 727.493561] RAX: 0000000000000000 RBX: 1ffff11002ad3f38 RCX: ffffffff8366d960 [ 727.493561] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88801569f9e0 [ 727.493561] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003 [ 727.493561] R10: ffffed1002ad3f3c R11: 0000000000000001 R12: 0000000000000088 [ 727.493561] R13: ffff888016166700 R14: ffff888014a57dc8 R15: dffffc0000000000 [ 727.493561] FS: 00007f5cab712700(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 727.493561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 727.493561] CR2: 0000000000000088 CR3: 000000000a336000 CR4: 00000000000006f0 [ 727.493561] Call Trace: [ 727.493561] ? _raw_spin_lock+0xd0/0xd0 [ 727.493561] release_sock+0x16/0x170 [ 727.493561] ax25_device_event+0x1a3/0x270 [ 727.493561] ? nr_device_event+0xf2/0x140 [ 727.493561] raw_notifier_call_chain+0x8d/0xd0 [ 727.493561] dev_close_many+0x227/0x400 [ 727.493561] ? __dev_close_many+0x290/0x290 [ 727.493561] ? finish_task_switch.isra.0+0x205/0x620 [ 727.493561] ? __switch_to+0x572/0xe50 [ 727.493561] rollback_registered_many+0x2e1/0x1130 [ 727.493561] ? dev_alloc_name+0xf0/0xf0 [ 727.493561] ? ldsem_down_read+0x650/0x650 [ 727.493561] unregister_netdevice_queue+0x1d7/0x3e0 [ 727.493561] ? unregister_netdevice_many+0x50/0x50 [ 727.493561] ? _raw_write_lock_bh+0xd0/0xd0 [ 727.493561] ? down_write_killable+0x120/0x120 [ 727.493561] unregister_netdev+0x13/0x20 [ 727.493561] mkiss_close+0x116/0x1f0 [ 727.493561] tty_ldisc_hangup+0x227/0x5f0 [ 727.493561] ? fasync_remove_entry+0x28/0x220 [ 727.493561] __tty_hangup.part.0+0x41c/0x910 [ 727.493561] tty_release+0x3a8/0xcc0 [ 727.493561] __fput+0x1e2/0x840 [ 727.493561] task_work_run+0xe8/0x180 [ 727.493561] exit_to_user_mode_prepare+0x114/0x120 [ 727.493561] syscall_exit_to_user_mode+0x1d/0x40 [ 727.493561] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 727.493561] RIP: 0033:0x7f6d2c9d4beb [ 727.493561] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 [ 727.493561] RSP: 002b:00007f5cab711ec0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 727.493561] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d2c9d4beb [ 727.493561] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 727.493561] RBP: 00007f5cab711f00 R08: 0000000000000000 R09: 00007f5cab712700 [ 727.493561] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffee89407be [ 727.493561] R13: 00007ffee89407bf R14: 00007f5cab711fc0 R15: 00007f5cab712700

The UAF bug related with lock_sock() is shown below.

[ 208.472360] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x71/0xd0 [ 208.472465] Write of size 4 at addr ffff88800a0e8088 by task ax25_clo_bin/1271 [ 208.472465] Call Trace: [ 208.472465] dump_stack+0x7d/0xa3 [ 208.472465] print_address_description.constprop.0+0x18/0x130 [ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0 [ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0 [ 208.472465] kasan_report.cold+0x7f/0x10e [ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0 [ 208.472465] check_memory_region+0xf9/0x1e0 [ 208.472465] _raw_spin_lock_bh+0x71/0xd0 [ 208.472465] ? _raw_spin_lock+0xd0/0xd0 [ 208.472465] ? schedule+0x8e/0x120 [ 208.472465] __lock_sock+0xd9/0x140 [ 208.472465] ? sock_omalloc+0xc0/0xc0 [ 208.472465] ? _raw_spin_lock+0xd0/0xd0 [ 208.472465] ? wait_woken+0x110/0x110 [ 208.472465] ? _raw_spin_lock+0xd0/0xd0 [ 208.472465] ? _raw_spin_lock_bh+0x80/0xd0 [ 208.472465] ? _raw_spin_lock+0xd0/0xd0 [ 208.472465] lock_sock_nested+0x72/0x80 [ 208.472465] ax25_device_event+0xef/0x160 [ 208.472465] raw_notifier_call_chain+0x5e/0x70 [ 208.472465] dev_close_many+0x17d/0x230 [ 208.472465] ? __dev_close_many+0x1c0/0x1c0 [ 208.472465] ? __schedule+0x494/0xc30 [ 208.472465] rollback_registered_many+0x1f1/0x950 [ 208.472465] ? clockevents_program_event+0xd3/0x130 [ 208.472465] ? dev_alloc_name+0xd0/0xd0 [ 208.472465] ? ldsem_down_read+0x410/0x410 [ 208.472465] unregister_netdevice_queue+0x133/0x200 [ 208.472465] ? unregister_netdevice_many+0x20/0x20 [ 208.472465] ? _raw_write_lock_bh+0xd0/0xd0 [ 208.472465] unregister_netdev+0x13/0x20 [ 208.472465] mkiss_close+0xc4/0x120 [ 208.472465] tty_ldisc_hangup+0x1ab/0x2d0 [ 208.472465] __tty_hangup.part.0+0x306/0x510 [ 208.472465] tty_release+0x200/0x670 [ 208.472465] __fput+0x104/0x3b0 [ 208.472465] task_work_run+0x8f/0xd0 [ 208.472465] exit_to_user_mode_prepare+0x114/0x120 [ 208.472465] syscall_exit_to_user_mode+0x1d/0x40 [ 208.472465] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 208.472465] RIP: 0033:0x7f7900bb1beb [ 208.472465] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 71 fc ff ff 8b 44 [ 208.472465] RSP: 002b:00007f78ff9c8ec0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 208.472465] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7900bb1beb [ 208.472465] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 208.472465] RBP: 00007f78ff9c8f00 R08: 0000000000000000 R09: 00007f78ff9c9700 [ 208.472465] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd364d6b9e [ 208.472465] R13: 00007ffd364d6b9f R14: 00007f78ff9c8fc0 R15: 00007f78ff9c9700

=*=*=*=*=*=*=*=*= Bug Fix =*=*=*=*=*=*=*=*=

The patch that have been applied to mainline Linux kernel is shown below. https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809 https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10 https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac

=*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*=

2022-01-28: commit 4e0f718daf97 accepted to mainline kernel 2022-02-09: commit 7ec02f5ac8a5 accepted to mainline kernel 2022-03-09: commit 71171ac8eb34 accepted to mainline kernel 2022-04-01: CVE-2022-1199 is assigned

=*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*=

Duoming Zhou <duoming@…edu.cn>

Best Regards, Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Related news

Ubuntu Security Notice USN-5650-1

Ubuntu Security Notice 5650-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel did not properly handle VGA console font changes, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5541-1

Ubuntu Security Notice 5541-1 - Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. Jann Horn discovered that the FUSE file system in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5539-1

Ubuntu Security Notice 5539-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice USN-5515-1

Ubuntu Security Notice 5515-1 - Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. Jann Horn discovered that the FUSE file system in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5514-1

Ubuntu Security Notice 5514-1 - It was discovered that the implementation of the 6pack and mkiss protocols in the Linux kernel did not handle detach events properly in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service. Duoming Zhou discovered that the AX.25 amateur radio protocol implementation in the Linux kernel did not handle detach events properly in some situations. A local attacker could possibly use this to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice USN-5469-1

Ubuntu Security Notice 5469-1 - It was discovered that the Linux kernel did not properly restrict access to the kernel debugger when booted in secure boot environments. A privileged attacker could use this to bypass UEFI Secure Boot restrictions. Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907