Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1882: Deinitialize the watch_queue when pipe is freed

A flaw use after free in the Linux kernel pipes functionality was found in the way user do some manipulations with pipe ex. with the post_one_notification() after free_pipe_info() already called. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

CVE
#linux#git

* [PATCH] fs/pipe: Deinitialize the watch_queue when pipe is freed @ 2022-05-07 11:56 Haimin Zhang 0 siblings, 0 replies; only message in thread From: Haimin Zhang @ 2022-05-07 11:56 UTC (permalink / raw) To: Alexander Viro, David Howells, Fabio M. De Francesco, linux-kernel, linux-fsdevel Cc: Haimin Zhang, TCS Robot

From: Haimin Zhang <[email protected]>

Add a new function call to deinitialize the watch_queue of a freed pipe. When a pipe node is freed, it doesn’t make pipe->watch_queue->pipe null. Later when function post_one_notification is called, it will use this field, but it has been freed and watch_queue->pipe is a dangling pointer. It makes a uaf issue.

Reported-by: TCS Robot <[email protected]> Signed-off-by: Haimin Zhang <[email protected]>


The following is the callstacks:

  1. The pipe was created as follows: ``` kmalloc build/…/include/linux/slab.h:581 [inline] kzalloc build/…/include/linux/slab.h:714 [inline] alloc_pipe_info+0x105/0x590 build/…/fs/pipe.c:790 get_pipe_inode build/…/fs/pipe.c:881 [inline] create_pipe_files+0x8d/0x880 build/…/fs/pipe.c:913 __do_pipe_flags build/…/fs/pipe.c:962 [inline] do_pipe2+0x96/0x1b0 build/…/fs/pipe.c:1010 __do_sys_pipe2 build/…/fs/pipe.c:1028 [inline] __se_sys_pipe2 build/…/fs/pipe.c:1026 [inline] __x64_sys_pipe2+0x50/0x70 build/…/fs/pipe.c:1026 do_syscall_x64 build/…/arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 build/…/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae ```
  2. The pipe was freed as follows: ``` kfree+0xd6/0x4d0 build/…/mm/slub.c:4552 put_pipe_info build/…/fs/pipe.c:711 [inline] pipe_release+0x2b6/0x310 build/…/fs/pipe.c:734 __fput+0x277/0x9d0 build/…/fs/file_table.c:317 task_work_run+0xdd/0x1a0 build/…/kernel/task_work.c:164 resume_user_mode_work build/…/include/linux/resume_user_mode.h: 49 [inline] exit_to_user_mode_loop build/…/kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 build/…/kernel/entry/common.c:201 __syscall_exit_to_user_mode_work build/…/kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 build/…/kernel/entry/common.c:294 do_syscall_64+0x42/0x80 build/…/arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae ```
  3. The dangling pointer was used: ``` __lock_acquire+0x3eb0/0x56c0 build/…/kernel/locking/lockdep.c:4899 lock_acquire build/…/kernel/locking/lockdep.c:5641 [inline] lock_acquire+0x1ab/0x510 build/…/kernel/locking/lockdep.c:5606 __raw_spin_lock_irq build/…/include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irq+0x32/0x50 build/…/kernel/locking/spinlock.c:170 spin_lock_irq build/…/include/linux/spinlock.h:374 [inline] post_one_notification.isra.0+0x59/0x990 build/…/kernel/watch_queue.c:86 remove_watch_from_object+0x35a/0x9d0 build/…/kernel/watch_queue.c:527 remove_watch_list build/…/include/linux/watch_queue.h:115 [inline] key_gc_unused_keys.constprop.0+0x2e5/0x600 build/…/security/keys/gc.c:135 key_garbage_collector+0x3d7/0x920 build/…/security/keys/gc.c:297 process_one_work+0x996/0x1610 build/…/kernel/workqueue.c:2289 worker_thread+0x665/0x1080 build/…/kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 build/…/kernel/kthread.c:376 ret_from_fork+0x1f/0x30 build/…/arch/x86/entry/entry_64.S:298 ```

fs/pipe.c | 4 ++± include/linux/watch_queue.h | 5 +++++ kernel/watch_queue.c | 16 ++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/fs/pipe.c b/fs/pipe.c index e140ea150bbb…7e3f4df87c28 100644 — a/fs/pipe.c +++ b/fs/pipe.c @@ -844,8 +844,10 @@ void free_pipe_info(struct pipe_inode_info *pipe) pipe_buf_release(pipe, buf); } #ifdef CONFIG_WATCH_QUEUE - if (pipe->watch_queue)

  • if (pipe->watch_queue) { put_watch_queue(pipe->watch_queue);
  •   watch\_queue\_deinit(pipe);
    
  • } #endif if (pipe->tmp_page) __free_page(pipe->tmp_page); diff --git a/include/linux/watch_queue.h b/include/linux/watch_queue.h index 3b9a40ae8bdb…e5086b195fb7 100644 — a/include/linux/watch_queue.h +++ b/include/linux/watch_queue.h @@ -90,6 +90,7 @@ extern long watch_queue_set_size(struct pipe_inode_info *, unsigned int); extern long watch_queue_set_filter(struct pipe_inode_info *, struct watch_notification_filter __user *); extern int watch_queue_init(struct pipe_inode_info *); +extern int watch_queue_deinit(struct pipe_inode_info *); extern void watch_queue_clear(struct watch_queue *);

static inline void init_watch_list(struct watch_list *wlist, @@ -129,6 +130,10 @@ static inline int watch_queue_init(struct pipe_inode_info *pipe) return -ENOPKG; }

+static inline int watch_queue_deinit(struct pipe_inode_info *pipe) +{

  • return -ENOPKG; +} #endif

#endif /* _LINUX_WATCH_QUEUE_H */ diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index 230038d4f908…3396e60f14e8 100644 — a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -663,3 +663,19 @@ int watch_queue_init(struct pipe_inode_info *pipe) pipe->watch_queue = wqueue; return 0; }

+/*

  • * Deinitialise a watch queue
  • */ +int watch_queue_deinit(struct pipe_inode_info *pipe) +{
  • struct watch_queue *wqueue;
  • if (pipe) {
  •   wqueue = pipe->watch\_queue;
    
  •   if (wqueue)
    
  •       wqueue->pipe = NULL;
    
  •   pipe->watch\_queue = NULL;
    
  • }
  • return 0; +} – 2.27.0

^ permalink raw reply [flat|nested] only message in thread

only message in thread, other threads:[~2022-05-07 11:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2022-05-07 11:56 [PATCH] fs/pipe: Deinitialize the watch_queue when pipe is freed Haimin Zhang

This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).

Related news

Red Hat Security Advisory 2023-2148-01

Red Hat Security Advisory 2023-2148-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-2458-01

Red Hat Security Advisory 2023-2458-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

RHSA-2023:2458: Red Hat Security Advisory: kernel security, bug fix, and enhancement update

An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user to c...

RHSA-2023:2148: Red Hat Security Advisory: kernel-rt security and bug fix update

An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26341: A flaw was found in hw. This issue can cause AMD CPUs to transiently execute beyond unconditional direct branches. * CVE-2021-33655: An out-of-bounds write flaw was found in the Linux kernel’s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user t...

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Ubuntu Security Notice USN-5703-1

Ubuntu Security Notice 5703-1 - Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba discovered that some Intel processors with Enhanced Indirect Branch Restricted Speculation did not properly handle RET instructions after a VM exits. A local attacker could potentially use this to expose sensitive information.

Ubuntu Security Notice USN-5683-1

Ubuntu Security Notice 5683-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5667-1

Ubuntu Security Notice 5667-1 - Selim Enes Karaduman discovered that a race condition existed in the General notification queue implementation of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba discovered that some Intel processors with Enhanced Indirect Branch Restricted Speculation did not properly handle RET instructions after a VM exits. A local attacker could potentially use this to expose sensitive information.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907