Public on OSSS
--------------

Hi,

We recently discovered a concurrency uaf between raw_cmd_ioctl and seek_interrupt in the latest kernel version (5.17.4 for now).

The root cause is that after deallocating raw_cmd in raw_cmd_ioctl, seek_interrupt still holds the freed raw_cmd and accesses it in floppy_ready or start_motor concurrently.

PoC (generated by syzkaller) is in the attachment, and here is the KASAN report:

BUG: KASAN: use-after-free in start_motor+0x31b/0x3f0 drivers/block/floppy.c:1908

Read of size 4 at addr ffff888127331c00 by task kworker/u16:9/15911

CPU: 5 PID: 15911 Comm: kworker/u16:9 Not tainted 5.16.2 #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: floppy floppy_work_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 start_motor+0x31b/0x3f0 drivers/block/floppy.c:1908
 floppy_ready+0x83/0x1850 drivers/block/floppy.c:1935
 seek_interrupt+0x326/0x420 drivers/block/floppy.c:1567
 process_one_work+0x9b2/0x1660 kernel/workqueue.c:2317
 worker_thread+0x65d/0x1130 kernel/workqueue.c:2465
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 22033:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:590 [inline]
 raw_cmd_copyin drivers/block/floppy.c:3100 [inline]
 raw_cmd_ioctl drivers/block/floppy.c:3167 [inline]
 fd_locked_ioctl+0x100e/0x2820 drivers/block/floppy.c:3535
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3562
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:609
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 22033:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
 slab_free mm/slub.c:3513 [inline]
 kfree+0xf6/0x560 mm/slub.c:4561
 raw_cmd_free+0x8a/0x1c0 drivers/block/floppy.c:3086
 raw_cmd_ioctl drivers/block/floppy.c:3187 [inline]
 fd_locked_ioctl+0x206d/0x2820 drivers/block/floppy.c:3535
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3562
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:609
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae


The new patch can been seen at https://github.com/torvalds/linux/commit/233087ca063686964a53c829d547c7571e3f67bf.

Regards,
 
Yuan Ming from Tsinghua University

This was assigned CVE-2022-1836 by RH:
https://bugzilla.redhat.com/show_bug.cgi?id=2080330

*** Bug 1200692 has been marked as a duplicate of this bug. ***

CVE-2022-1836 was rejected in favor of CVE-2022-33981 bsc#1200692

*** This bug has been marked as a duplicate of bug 1200692 ***

SUSE-SU-2022:2629-1: An update that solves 33 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1177282,1188885,1194013,1194124,1196426,1196570,1196901,1196964,1197170,1197219,1197601,1198438,1198577,1198866,1198899,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199482,1199487,1199505,1199507,1199526,1199605,1199631,1199650,1199657,1199671,1199839,1200015,1200045,1200143,1200144,1200173,1200249,1200343,1200549,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200762,1200806,1200807,1200809,1200810,1200813,1200820,1200821,1200822,1200829,1200868,1200869,1200870,1200871,1200872,1200873,1200925,1201050,1201080,1201251
CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-26341,CVE-2021-33061,CVE-2021-39711,CVE-2021-4157,CVE-2022-1012,CVE-2022-1184,CVE-2022-1652,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1836,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742
JIRA References: 
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.94.1, kernel-rt_debug-4.12.14-10.94.1, kernel-source-rt-4.12.14-10.94.1, kernel-syms-rt-4.12.14-10.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.