Bugzilla – Bug 1206258
VUL-0: CVE-2022-4382: kernel: use-after-free write in put_dev
Last modified: 2024-06-25 17:15:51 UTC
From linux-distros: Hi, I found a vulnerability and reported it to the linux kernel security team. The content is below. If the vulnerability would be fixed, I want to apply for a CVE ID. Thanks. # Original Report I found a vulnerability when fuzzing linux kernel by syzkaller. The KASAN reports that use-after-free Write in put_dev. Then I tried to reproduce and got the C source file. I compiled it and executed the binary program, but the kernel crashed as expected. This vulnerability could be used to LPE as UAF, I thought. ## Linux version: 6.1.0 (master commit a4412fdd49dc011bcc2c0d81ac4cab7457092650) ## KASAN report ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159 Write of size 4 at addr ffff8880436d2040 by task syz-executor.5/7587 CPU: 1 PID: 7587 Comm: syz-executor.5 Not tainted 6.1.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev+0x22/0xd0 drivers/usb/gadget/legacy/inode.c:159 gadgetfs_kill_sb+0x2e/0x60 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0x98/0x160 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0x188/0x1d0 fs/super.c:1207 vfs_get_tree+0x8d/0x2f0 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f8d5129078d Code: c3 e8 17 32 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d52024bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000001af RAX: ffffffffffffffda RBX: 00007f8d513cbf80 RCX: 00007f8d5129078d RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 RBP: 00007f8d512feb02 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd48293eff R14: 00007ffd48294090 R15: 00007f8d52024d80 </TASK> Allocated by task 7561: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa5/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] dev_new drivers/usb/gadget/legacy/inode.c:170 [inline] gadgetfs_fill_super+0x1e4/0x460 drivers/usb/gadget/legacy/inode.c:2041 vfs_get_super fs/super.c:1169 [inline] get_tree_single+0xd6/0x1d0 fs/super.c:1207 vfs_get_tree+0x8d/0x2f0 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] __do_sys_fsconfig+0x8d6/0xc20 fs/fsopen.c:439 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Second to last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481 call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798 pwq_unbound_release_workfn+0x26b/0x340 kernel/workqueue.c:3736 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff8880436d2000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 64 bytes inside of 1024-byte region [ffff8880436d2000, ffff8880436d2400) The buggy address belongs to the physical page: page:ffffea00010db400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x436d0 head:ffffea00010db400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888012041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6599, tgid 6599 (syz-executor.0), ts 29294571719, free_ts 29285126043 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4291 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5558 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x213/0x300 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0xa9b/0x13e0 mm/slub.c:3180 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x199/0x3e0 mm/slub.c:3437 kmalloc_trace+0x26/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] batadv_hardif_add_interface net/batman-adv/hard-interface.c:864 [inline] batadv_hard_if_event+0x8a1/0x1450 net/batman-adv/hard-interface.c:952 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] register_netdevice+0x10bf/0x1670 net/core/dev.c:10090 veth_newlink+0x4d1/0x990 drivers/net/veth.c:1795 rtnl_newlink_create net/core/rtnetlink.c:3364 [inline] __rtnl_newlink+0x1084/0x17e0 net/core/rtnetlink.c:3581 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6091 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] __kmem_cache_alloc_node+0x2e2/0x3e0 mm/slub.c:3437 kmalloc_trace+0x26/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] kset_create lib/kobject.c:937 [inline] kset_create_and_add+0x4f/0x1a0 lib/kobject.c:980 register_queue_kobjects net/core/net-sysfs.c:1766 [inline] netdev_register_kobject+0x1ca/0x400 net/core/net-sysfs.c:2019 register_netdevice+0xd99/0x1670 net/core/dev.c:10057 __ip_tunnel_create+0x398/0x570 net/ipv4/ip_tunnel.c:267 ip_tunnel_init_net+0x2ec/0x9f0 net/ipv4/ip_tunnel.c:1073 ops_init+0xb9/0x680 net/core/net_namespace.c:135 setup_net+0x5d1/0xc50 net/core/net_namespace.c:332 copy_net_ns+0x31c/0x760 net/core/net_namespace.c:478 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 Memory state around the buggy address: ffff8880436d1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880436d1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff8880436d2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880436d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880436d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
This seems to be in VFS. David, feel free to reassign the bug if you find out that it is not in your area.
Upstream discussion: https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q-bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/T/#u
(In reply to Thomas Leroy from comment #3) > Upstream discussion: > https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q- > bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/T/#u Thanks, this one has the reproducer which will help proceed here.
Suggested patch: https://lore.kernel.org/linux-usb/Y5dV11OoM3ojxNHy@rowland.harvard.edu/
CONFIG_USB_GADGETFS is only enable for master, stable, and SLE15-SP4 branches, so only these three are affected.
public in oss-sec
As per https://lore.kernel.org/linux-usb/Y8QwfhXZBDJNaqsg@rowland.harvard.edu/ , the fix hasn't made it into Mainline yet, but it's now queued in Greg KH's usb maintainer repository as: commit d18dcfe9860e842f394e37ba01ca9440ab2178f4 Author: Alan Stern <stern@rowland.harvard.edu> Date: Fri Dec 23 09:59:09 2022 -0500 USB: gadgetfs: Fix race between mounting and unmounting I'm queuing this up for SLE15-SP4 .
(In reply to David Disseldorp from comment #10) ... > I'm queuing this up for SLE15-SP4 . The fix has been merged into 15-SP4 (and mainline now, too). (In reply to Thomas Leroy from comment #6) > CONFIG_USB_GADGETFS is only enable for master, stable, and SLE15-SP4 > branches, so only these three are affected. Tumbleweed should get the fix via the regular stable kernel channels, so I'll leve the master / stable branches as-is. Reassigning back to the security team for closure.
SUSE-SU-2023:0394-1: An update that solves 5 vulnerabilities, contains two features and has 41 fixes is now available. Category: security (important) Bug References: 1185861,1185863,1186449,1191256,1192868,1193629,1194869,1195175,1195655,1196058,1199701,1204063,1204356,1204662,1205495,1206006,1206036,1206056,1206057,1206258,1206363,1206459,1206616,1206677,1206784,1207010,1207034,1207134,1207149,1207158,1207184,1207186,1207190,1207237,1207263,1207269,1207497,1207500,1207501,1207506,1207507,1207734,1207769,1207842,1207878,1207933 CVE References: CVE-2020-24588,CVE-2022-4382,CVE-2022-47929,CVE-2023-0179,CVE-2023-0266 JIRA References: SLE-21132,SLE-24682 Sources used: openSUSE Leap 15.4 (src): kernel-azure-5.14.21-150400.14.34.1, kernel-source-azure-5.14.21-150400.14.34.1, kernel-syms-azure-5.14.21-150400.14.34.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): kernel-azure-5.14.21-150400.14.34.1, kernel-source-azure-5.14.21-150400.14.34.1, kernel-syms-azure-5.14.21-150400.14.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0433-1: An update that solves 9 vulnerabilities, contains two features and has 42 fixes is now available. Category: security (important) Bug References: 1065729,1185861,1185863,1186449,1191256,1192868,1193629,1194869,1195175,1195655,1196058,1199701,1204063,1204356,1204662,1205495,1206006,1206036,1206056,1206057,1206258,1206363,1206459,1206616,1206677,1206784,1207010,1207034,1207036,1207050,1207125,1207134,1207149,1207158,1207184,1207186,1207190,1207237,1207263,1207269,1207497,1207500,1207501,1207506,1207507,1207734,1207769,1207795,1207842,1207878,1207933 CVE References: CVE-2020-24588,CVE-2022-4382,CVE-2022-47929,CVE-2023-0122,CVE-2023-0179,CVE-2023-0266,CVE-2023-0590,CVE-2023-23454,CVE-2023-23455 JIRA References: SLE-21132,SLE-24682 Sources used: openSUSE Leap Micro 5.3 (src): kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3 openSUSE Leap 15.4 (src): dtb-aarch64-5.14.21-150400.24.46.1, kernel-64kb-5.14.21-150400.24.46.1, kernel-debug-5.14.21-150400.24.46.1, kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3, kernel-docs-5.14.21-150400.24.46.2, kernel-kvmsmall-5.14.21-150400.24.46.1, kernel-obs-build-5.14.21-150400.24.46.1, kernel-obs-qa-5.14.21-150400.24.46.1, kernel-source-5.14.21-150400.24.46.1, kernel-syms-5.14.21-150400.24.46.1, kernel-zfcpdump-5.14.21-150400.24.46.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1, kernel-livepatch-SLE15-SP4_Update_8-1-150400.9.3.3 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): kernel-docs-5.14.21-150400.24.46.2, kernel-obs-build-5.14.21-150400.24.46.1, kernel-source-5.14.21-150400.24.46.1, kernel-syms-5.14.21-150400.24.46.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): kernel-64kb-5.14.21-150400.24.46.1, kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3, kernel-source-5.14.21-150400.24.46.1, kernel-zfcpdump-5.14.21-150400.24.46.1 SUSE Linux Enterprise Micro 5.3 (src): kernel-default-5.14.21-150400.24.46.1, kernel-default-base-5.14.21-150400.24.46.1.150400.24.17.3 SUSE Linux Enterprise High Availability 15-SP4 (src): kernel-default-5.14.21-150400.24.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0488-1: An update that solves 11 vulnerabilities, contains two features and has 133 fixes can now be installed. Category: security (important) Bug References: 1166486, 1185861, 1185863, 1186449, 1191256, 1192868, 1193629, 1194869, 1195175, 1195655, 1196058, 1199701, 1203332, 1204063, 1204356, 1204662, 1205495, 1206006, 1206036, 1206056, 1206057, 1206224, 1206258, 1206363, 1206459, 1206616, 1206640, 1206677, 1206784, 1206876, 1206877, 1206878, 1206880, 1206881, 1206882, 1206883, 1206884, 1206885, 1206886, 1206887, 1206888, 1206889, 1206890, 1206893, 1206894, 1207010, 1207034, 1207036, 1207050, 1207125, 1207134, 1207149, 1207158, 1207184, 1207186, 1207188, 1207189, 1207190, 1207237, 1207263, 1207269, 1207328, 1207497, 1207500, 1207501, 1207506, 1207507, 1207588, 1207589, 1207590, 1207591, 1207592, 1207593, 1207594, 1207602, 1207603, 1207605, 1207606, 1207607, 1207608, 1207609, 1207610, 1207611, 1207612, 1207613, 1207614, 1207615, 1207616, 1207617, 1207618, 1207619, 1207620, 1207621, 1207622, 1207623, 1207624, 1207625, 1207626, 1207627, 1207628, 1207629, 1207630, 1207631, 1207632, 1207633, 1207634, 1207635, 1207636, 1207637, 1207638, 1207639, 1207640, 1207641, 1207642, 1207643, 1207644, 1207645, 1207646, 1207647, 1207648, 1207649, 1207650, 1207651, 1207652, 1207653, 1207734, 1207768, 1207769, 1207770, 1207771, 1207773, 1207795, 1207842, 1207875, 1207878, 1207933, 1208030, 1208044, 1208085, 1208149, 1208153, 1208183, 1208428, 1208429 CVE References: CVE-2020-24588, CVE-2022-36280, CVE-2022-4382, CVE-2022-47929, CVE-2023-0045, CVE-2023-0122, CVE-2023-0179, CVE-2023-0266, CVE-2023-0590, CVE-2023-23454, CVE-2023-23455 Jira References: PED-3210, SLE-21132 Sources used: openSUSE Leap 15.4 (src): kernel-source-rt-5.14.21-150400.15.11.1, kernel-syms-rt-5.14.21-150400.15.11.1 SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_3-1-150400.1.3.1 SUSE Real Time Module 15-SP4 (src): kernel-source-rt-5.14.21-150400.15.11.1, kernel-syms-rt-5.14.21-150400.15.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done