Bug 1207511 (CVE-2023-0468) - VUL-0: CVE-2023-0468: kernel-source,kernel-source-azure,kernel-source-rt: use-after-free in io_uring poll events due to race condition
Summary: VUL-0: CVE-2023-0468: kernel-source,kernel-source-azure,kernel-source-rt: use...
Status: RESOLVED FIXED
Alias: CVE-2023-0468
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/354948/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-25 08:17 UTC by Thomas Leroy
Modified: 2024-06-25 17:22 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-01-25 08:17:08 UTC 
rh#2164024

There is a race condition problem ok poll_refs which could result in a NULL pointer dereference. 

The crash trace is like:
*********
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 30781 Comm: syz-executor.2 Not tainted 6.0.0-g493ffd6605b2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:io_poll_remove_entry io_uring/poll.c:154 [inline]
RIP: 0010:io_poll_remove_entries+0x171/0x5b4 io_uring/poll.c:190
Code: ...
RSP: 0018:ffff88810dfefba0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc900030c4000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 0000000000000008 R08: ffffffff9764d3dd R09: fffffbfff3836781
R10: fffffbfff3836781 R11: 0000000000000000 R12: 1ffff11003422d60
R13: ffff88801a116b04 R14: ffff88801a116ac0 R15: dffffc0000000000
FS:  00007f9c07497700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffb5c00ea98 CR3: 0000000105680005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 io_apoll_task_func+0x3f/0xa0 io_uring/poll.c:299
 handle_tw_list io_uring/io_uring.c:1037 [inline]
 tctx_task_work+0x37e/0x4f0 io_uring/io_uring.c:1090
 task_work_run+0x13a/0x1b0 kernel/task_work.c:177
 get_signal+0x2402/0x25a0 kernel/signal.c:2635
 arch_do_signal_or_restart+0x3b/0x660 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0xc2/0x160 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x58/0x160 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
**********

Fixing commits:
https://github.com/torvalds/linux/commit/12ad3d2d6c5b0131a6052de91360849e3e154846
https://github.com/torvalds/linux/commit/a26a35e9019fd70bf3cf647dcfdae87abc7bacea

Commit introducing the bug:
https://github.com/torvalds/linux/commit/aa43477b040251f451db0d844073ac00a8ab66ee

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2164024
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0468
Comment 1 Thomas Leroy 2023-01-25 08:20:16 UTC 
The 2 fixing commits and the one introducing the bug are only (and already) on stable and master branches. We should not be affected. 
Only need to add the CVE in changelogs
Comment 2 Takashi Iwai 2023-01-25 08:39:27 UTC 
SLE15-SP5 has a backport of the affecting patch (although not really released yet).
Comment 3 Karasulli 2023-01-25 09:22:13 UTC 
Reassigning to a concrete person to ensure progress [1].
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 4 Karasulli 2023-01-25 10:42:02 UTC 
The fact that io_uring poll handling has been moved to a new file poll.c in v6.0-rc1 makes it slightly complicated to port the fix. David, is it possible to take a look? (feel free to pass to next one)
Comment 5 Gabriel Krisman Bertazi 2023-01-25 13:55:51 UTC 
From a quick look, it seems that just backporting the 2 patches would be enough to solve it and the backporting is not complicated, even though not trivial due to the renaming as mentioned in comment 4.

That said, there is also commit 2f3893437a4ebf2e892ca172e9e122841319d675 which fortifies against an underflow in the poll path that should be brought in as well.

Is there a reproducer available?
Comment 6 Thomas Leroy 2023-01-25 14:21:52 UTC 
(In reply to Gabriel Krisman Bertazi from comment #5)
> From a quick look, it seems that just backporting the 2 patches would be
> enough to solve it and the backporting is not complicated, even though not
> trivial due to the renaming as mentioned in comment 4.
> 
> That said, there is also commit 2f3893437a4ebf2e892ca172e9e122841319d675
> which fortifies against an underflow in the poll path that should be brought
> in as well.
> 
> Is there a reproducer available?

Not that I can see...
Comment 7 David Disseldorp 2023-02-08 11:24:26 UTC 
I submitted users/ddiss/SLE15-SP5/for-next providing:

35d7485ebc0 io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 CVE-2023-0468).
eda005a3097 io_uring: make poll refs more robust (bsc#1207511 CVE-2023-0468).
aa2350533d0 io_uring: cmpxchg for poll arm refs release (bsc#1207511 CVE-2023-0468).
416e4f80004 io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468).
da162dfbf8e io_uring: update res mask in io_poll_check_events (bsc#1207511 CVE-2023-0468).

Gabriel mentioned that he also prepared backports and staged them at  users/gbertazi/SLE15-SP5-GA/1207511 .
@Gabriel: at quick glance, your branch appears to lack the da162dfbf8e and 416e4f80004 poll fixes, which I think are also relevant here, so I'll keep users/ddiss/SLE15-SP5/for-next queued for now if you're okay with that.
Comment 8 Gabriel Krisman Bertazi 2023-02-08 12:36:12 UTC 
(In reply to David Disseldorp from comment #7)
> I submitted users/ddiss/SLE15-SP5/for-next providing:
> 
> 35d7485ebc0 io_uring/poll: fix poll_refs race with cancelation (bsc#1207511
> CVE-2023-0468).
> eda005a3097 io_uring: make poll refs more robust (bsc#1207511 CVE-2023-0468).
> aa2350533d0 io_uring: cmpxchg for poll arm refs release (bsc#1207511
> CVE-2023-0468).
> 416e4f80004 io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468).
> da162dfbf8e io_uring: update res mask in io_poll_check_events (bsc#1207511
> CVE-2023-0468).
> 
> Gabriel mentioned that he also prepared backports and staged them at 
> users/gbertazi/SLE15-SP5-GA/1207511 .
> @Gabriel: at quick glance, your branch appears to lack the da162dfbf8e and
> 416e4f80004 poll fixes, which I think are also relevant here, so I'll keep
> users/ddiss/SLE15-SP5/for-next queued for now if you're okay with that.

David, no worries.  I had da162dfbf8e and 416e4f80004 queued on another branch for git-fixes, since I don't think they are part of the CVE.  I'll drop them there since you added them already.

Thanks for doing it!
Comment 9 David Disseldorp 2023-02-08 13:11:02 UTC 
(In reply to Gabriel Krisman Bertazi from comment #8)
...
> David, no worries.  I had da162dfbf8e and 416e4f80004 queued on another
> branch for git-fixes, since I don't think they are part of the CVE.  I'll
> drop them there since you added them already.

Thanks Gabriel. Following our slack discussion, I've gone ahead and submitted for GA instead via users/ddiss/SLE15-SP5-GA/for-next (I've removed the non-GA submission).
Comment 10 David Disseldorp 2023-02-08 17:00:01 UTC 
Handing back to the security team following SLE15-SP5-GA/for-next submission. Feel free to reassign back if anything else comes up.
Comment 14 Marcus Meissner 2023-04-20 08:26:01 UTC 
done