Headline
CVE-2023-3567: move load of struct vc_data pointer in vcs_read() to avoid UAF" has been added to the 6.1-stable tree — Linux Stable Commits
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This flaw allows an attacker with local user access to cause a system crash or leak internal kernel information.
This is a note to let you know that I’ve just added the patch titled
vc\_screen: move load of struct vc\_data pointer in vcs\_read() to avoid UAF
to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is: vc_screen-move-load-of-struct-vc_data-pointer-in-vcs.patch and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@xxxxxxxxxxxxxxx know about it.
commit 322ff296a88276d7895a7a0ecb60553cf4914e16 Author: George Kennedy george.kennedy@xxxxxxxxxx Date: Tue Jan 24 11:16:54 2023 -0500
vc\_screen: move load of struct vc\_data pointer in vcs\_read() to avoid UAF
\[ Upstream commit 226fae124b2dac217ea5436060d623ff3385bc34 \]
After a call to console\_unlock() in vcs\_read() the vc\_data struct can be
freed by vc\_deallocate(). Because of that, the struct vc\_data pointer
load must be done at the top of while loop in vcs\_read() to avoid a UAF
when vcs\_size() is called.
Syzkaller reported a UAF in vcs\_size().
BUG: KASAN: use-after-free in vcs\_size (drivers/tty/vt/vc\_screen.c:215)
Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537
CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
Call Trace:
<TASK>
\_\_asan\_report\_load4\_noabort (mm/kasan/report\_generic.c:350)
vcs\_size (drivers/tty/vt/vc\_screen.c:215)
vcs\_read (drivers/tty/vt/vc\_screen.c:415)
vfs\_read (fs/read\_write.c:468 fs/read\_write.c:450)
...
</TASK>
Allocated by task 1191:
...
kmalloc\_trace (mm/slab\_common.c:1069)
vc\_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
con\_install (drivers/tty/vt/vt.c:3383)
tty\_init\_dev (drivers/tty/tty\_io.c:1301 drivers/tty/tty\_io.c:1413
drivers/tty/tty\_io.c:1390)
tty\_open (drivers/tty/tty\_io.c:2080 drivers/tty/tty\_io.c:2126)
chrdev\_open (fs/char\_dev.c:415)
do\_dentry\_open (fs/open.c:883)
vfs\_open (fs/open.c:1014)
...
Freed by task 1548:
...
kfree (mm/slab\_common.c:1021)
vc\_port\_destruct (drivers/tty/vt/vt.c:1094)
tty\_port\_destructor (drivers/tty/tty\_port.c:296)
tty\_port\_put (drivers/tty/tty\_port.c:312)
vt\_disallocate\_all (drivers/tty/vt/vt\_ioctl.c:662 (discriminator 2))
vt\_ioctl (drivers/tty/vt/vt\_ioctl.c:903)
tty\_ioctl (drivers/tty/tty\_io.c:2776)
...
The buggy address belongs to the object at ffff888113747800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
1024-byte region \[ffff888113747800, ffff888113747c00)
The buggy address belongs to the physical page:
page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x113740
head:00000000b3fe6c7c order:3 compound\_mapcount:0 subpages\_mapcount:0
compound\_pincount:0
anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
Fixes: ac751efa6a0d ("console: rename acquire/release\_console\_sem() to console\_lock/unlock()")
Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
Suggested-by: Jiri Slaby <jirislaby@xxxxxxxxxx>
Signed-off-by: George Kennedy <george.kennedy@xxxxxxxxxx>
Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@xxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c index 1850bacdb5b0…f566eb1839dc 100644 — a/drivers/tty/vt/vc_screen.c +++ b/drivers/tty/vt/vc_screen.c @@ -386,10 +386,6 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
uni\_mode = use\_unicode(inode);
attr = use\_attributes(inode);
ret = -ENXIO;
vc = vcs_vc(inode, &viewed);
if (!vc)
goto unlock\_out;ret = -EINVAL; if (pos < 0) @@ -407,6 +403,11 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) unsigned int this_round, skip = 0; int size;
ret = -ENXIO;vc = vcs\_vc(inode, &viewed);if (!vc)goto unlock\_out;/\* Check whether we are above size each round, \* as copy\_to\_user at the end of this loop \* could sleep.
Related news
Red Hat Security Advisory 2024-2394-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution, double free, integer overflow, memory exhaustion, memory leak, null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). Various other issues were also addressed.
Ubuntu Security Notice 6341-1 - Jordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the do_prlimit function in the Linux kernel did not properly handle speculative execution barriers. A local attacker could use this to expose sensitive information. It was discovered that a use-after-free vulnerability existed in the IEEE 1394 implementation in the Linux kernel. A privileged attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6327-1 - Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the HFS+ file system implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service.
Ubuntu Security Notice 6309-1 - Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service. It was discovered that a use-after-free vulnerability existed in the HFS+ file system implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service.