| Message ID | 1683889728-10411-1-git-send-email-george.kennedy@oracle.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp5021477vqo;
Fri, 12 May 2023 04:22:57 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4E4TkNAWhSzsQMq2BHkEvtr+sok3BWcvItnyC+iYuQ4qA8Z57Q/oeheI+qQX4Cxy6nAtrT
X-Received: by 2002:a05:6a00:4c18:b0:649:76a8:df27 with SMTP id
ea24-20020a056a004c1800b0064976a8df27mr6459134pfb.14.1683890576895;
Fri, 12 May 2023 04:22:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683890576; cv=none;
d=google.com; s=arc-20160816;
b=o8dZFMXxRv6Q1v1IMGbkeAoAJSOVsK+mM2ZzdzOK+8MADtwfq8mMPPliZMwsZJJP6W
ojRRwcKloQPzb7eVqM1V1o//noAKJatdavwdhVc8uu3cUH8J/drRMKeM53UrBFAPMzwj
vNBXVWPlkK8XkNeAHzpRkI63pVUnTKjBEGXlKpsmGYVXrIzYe9FS2mY5l/w4U6N1OmCI
llkKj02wXfX7xUiJZ5Wp+fOZuQ5asXkWPEXX8vpcfK56ZDbcdGQAUdENTDGJb4uP+snY
lMARYjOjDdXXee5y+HRhLiQEW4mqfgC8/kuOSNV9pAuXpCu2FTQL7ohYNQyQNkb03QMM
bpmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from
:dkim-signature;
bh=EhHRMxQUAvJv28sSn27p4IBcuGnpARk978evYXUSIos=;
b=OrYla+gxnkpsX4vyCTzAxdpUCUkTm3uei4dfyKIeOphEGpC/8ZJpIev+hcxAr6fc/J
Q3jc/9KfGRtFQoDCvpYJWpz5toU4cJ1iVBYcYYq52xUjdFYqoQu96JBGH+tx71FuPZXk
PYoOfoREJmYttEqDQHAfsslvltdS3pDQaLnsM4TIg5XAL3BUY5Ht/2Rv+TNExWVts3gK
4AqFeENBdmegMXIy5Lv2vFGprhU50xZ+cYrmD9kG767dNzHxziDAehOx6wftKELzTElQ
zzO49DvHiicO/TjFTgPs5h/pH2A3aTciC4lzfs5hchptrrEmGoCoHFxnxf442l9x7oL+
dIJA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2023-03-30
header.b=a+AUGvNR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
w71-20020a627b4a000000b00626007418c3si9968333pfc.289.2023.05.12.04.22.41;
Fri, 12 May 2023 04:22:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2023-03-30
header.b=a+AUGvNR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S241022AbjELLLO (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Fri, 12 May 2023 07:11:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36984 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S240954AbjELLLA (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 12 May 2023 07:11:00 -0400
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
[205.220.177.32])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2F51100E6;
Fri, 12 May 2023 04:10:43 -0700 (PDT)
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1])
by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
34C8hsxL013292;
Fri, 12 May 2023 11:10:18 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
h=from : to : cc :
subject : date : message-id; s=corp-2023-03-30;
bh=EhHRMxQUAvJv28sSn27p4IBcuGnpARk978evYXUSIos=;
b=a+AUGvNRS7MFIVl94FwMjgeRp+jEfl2GSL4cZ01Hn2O4yi4Vdb7hwDzNr9sQpMRLZboH
ulyCldwQiAvxpsangNMapaUKncY4cPmM+C3Dr5FNn5TruNv7JF7V+RuKG9WC9zlfR4IC
RR2n0nLvUVGT0XEm6di2whNjCjT1sNhEqCLALysrlBb1Gp+RELx5biEyTNmGXP0jYu9r
muCc1djCEfclgehB3hCoHAvlbuPG0Q+mOOd8mJpR6kTKe+aBuIKjP0fRQetfFU7Xv39u
kmwFLVE57JD3mb7CwdLtdOHPnQIDa+HC23p1EYU8uCqx+aTpczX2qSPD/HOdx4P86+fV zg==
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta03.appoci.oracle.com [130.35.103.27])
by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3qf7779yg5-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Fri, 12 May 2023 11:10:17 +0000
Received: from pps.filterd
(iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(8.17.1.19/8.17.1.19) with ESMTP id 34C95DEX024177;
Fri, 12 May 2023 11:10:17 GMT
Received: from pps.reinject (localhost [127.0.0.1])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTPS id 3qf7y7yxqy-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Fri, 12 May 2023 11:10:17 +0000
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 34CBAGoA009896;
Fri, 12 May 2023 11:10:16 GMT
Received: from gkennedy-linux.us.oracle.com (gkennedy-linux.us.oracle.com
[10.152.170.45])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTP id 3qf7y7yxq7-1;
Fri, 12 May 2023 11:10:16 +0000
From: George Kennedy <george.kennedy@oracle.com>
To: linux@weissschuh.net, gregkh@linuxfoundation.org,
jirislaby@kernel.org
Cc: george.kennedy@oracle.com, sfr@canb.auug.org.au,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-serial@vger.kernel.org, regressions@lists.linux.dev
Subject: [PATCH v3] vc_screen: reload load of struct vc_data pointer in
vcs_write() to avoid UAF
Date: Fri, 12 May 2023 06:08:48 -0500
Message-Id: <1683889728-10411-1-git-send-email-george.kennedy@oracle.com>
X-Mailer: git-send-email 1.8.3.1
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
definitions=2023-05-12_08,2023-05-05_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0
malwarescore=0
mlxlogscore=999 phishscore=0 adultscore=0 bulkscore=0 spamscore=0
mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2304280000 definitions=main-2305120093
X-Proofpoint-GUID: hGQ6P4oZXJxFHAeqdHv-K_sdzsV6xsNH
X-Proofpoint-ORIG-GUID: hGQ6P4oZXJxFHAeqdHv-K_sdzsV6xsNH
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HEXHASH_WORD,
RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765687245410916201?=
X-GMAIL-MSGID: =?utf-8?q?1765687245410916201?=
|
| Series |
[v3] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
|
|
Commit Message
George Kennedy
May 12, 2023, 11:08 a.m. UTC
After a call to console_unlock() in vcs_write() the vc_data struct can be
freed by vc_port_destruct(). Because of that, the struct vc_data pointer
must be reloaded in the while loop in vcs_write() after console_lock() to
avoid a UAF when vcs_size() is called.
Syzkaller reported a UAF in vcs_size().
BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119
Call Trace:
<TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_write (drivers/tty/vt/vc_screen.c:664)
vfs_write (fs/read_write.c:582 fs/read_write.c:564)
...
<TASK>
Allocated by task 1213:
kmalloc_trace (mm/slab_common.c:1064)
vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
con_install (drivers/tty/vt/vt.c:3334)
tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
drivers/tty/tty_io.c:1392)
tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:921)
vfs_open (fs/open.c:1052)
...
Freed by task 4116:
kfree (mm/slab_common.c:1016)
vc_port_destruct (drivers/tty/vt/vt.c:1044)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2778)
...
The buggy address belongs to the object at ffff8880beab8800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)
The buggy address belongs to the physical page:
page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0xbeab8
head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
---
v3: changed to "ret = -ENXIO;"
v2: added "ret = -EINVAL;"
v1: This patch is similar to the recent UAF vcs_read() patches (226fae124b2d & 46d733d0efc7).
vcs_write() should have been checked for the same UAF issue at the same time the fixes went
into vcs_read().
drivers/tty/vt/vc_screen.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
Comments
May 12, 2023 13:10:48 George Kennedy <george.kennedy@oracle.com>: > After a call to console_unlock() in vcs_write() the vc_data struct can be > freed by vc_port_destruct(). Because of that, the struct vc_data pointer > must be reloaded in the while loop in vcs_write() after console_lock() to > avoid a UAF when vcs_size() is called. > > Syzkaller reported a UAF in vcs_size(). > > BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) > Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 > > Call Trace: > <TASK> > __asan_report_load4_noabort (mm/kasan/report_generic.c:380) > vcs_size (drivers/tty/vt/vc_screen.c:215) > vcs_write (drivers/tty/vt/vc_screen.c:664) > vfs_write (fs/read_write.c:582 fs/read_write.c:564) > ... > <TASK> > > Allocated by task 1213: > kmalloc_trace (mm/slab_common.c:1064) > vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 > drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) > con_install (drivers/tty/vt/vt.c:3334) > tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 > drivers/tty/tty_io.c:1392) > tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) > chrdev_open (fs/char_dev.c:415) > do_dentry_open (fs/open.c:921) > vfs_open (fs/open.c:1052) > ... > > Freed by task 4116: > kfree (mm/slab_common.c:1016) > vc_port_destruct (drivers/tty/vt/vt.c:1044) > tty_port_destructor (drivers/tty/tty_port.c:296) > tty_port_put (drivers/tty/tty_port.c:312) > vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) > vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) > tty_ioctl (drivers/tty/tty_io.c:2778) > ... > > The buggy address belongs to the object at ffff8880beab8800 > which belongs to the cache kmalloc-1k of size 1024 > The buggy address is located 424 bytes inside of > freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) > > The buggy address belongs to the physical page: > page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 > index:0x0 pfn:0xbeab8 > head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 > pincount:0 > flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) > page_type: 0xffffffff() > raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 > raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > Disabling lock debugging due to kernel taint > > Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") > Reported-by: syzkaller <syzkaller@googlegroups.com> > Signed-off-by: George Kennedy <george.kennedy@oracle.com> Reviewed-by: Thomas Weißschuh <linux@weissschuh.net> > --- > v3: changed to "ret = -ENXIO;" > > v2: added "ret = -EINVAL;" > > v1: This patch is similar to the recent UAF vcs_read() patches (226fae124b2d & 46d733d0efc7). > vcs_write() should have been checked for the same UAF issue at the same time the fixes went > into vcs_read(). > > drivers/tty/vt/vc_screen.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c > index 498ba9c0ee93..829c4be66f3b 100644 > --- a/drivers/tty/vt/vc_screen.c > +++ b/drivers/tty/vt/vc_screen.c > @@ -656,10 +656,17 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > } > } > > - /* The vcs_size might have changed while we slept to grab > - * the user buffer, so recheck. > + /* The vc might have been freed or vcs_size might have changed > + * while we slept to grab the user buffer, so recheck. > * Return data written up to now on failure. > */ > + vc = vcs_vc(inode, &viewed); > + if (!vc) { > + if (written) > + break; > + ret = -ENXIO; > + goto unlock_out; > + } > size = vcs_size(vc, attr, false); > if (size < 0) { > if (written) > -- > 2.31.1
diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c index 498ba9c0ee93..829c4be66f3b 100644 --- a/drivers/tty/vt/vc_screen.c +++ b/drivers/tty/vt/vc_screen.c @@ -656,10 +656,17 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) } } - /* The vcs_size might have changed while we slept to grab - * the user buffer, so recheck. + /* The vc might have been freed or vcs_size might have changed + * while we slept to grab the user buffer, so recheck. * Return data written up to now on failure. */ + vc = vcs_vc(inode, &viewed); + if (!vc) { + if (written) + break; + ret = -ENXIO; + goto unlock_out; + } size = vcs_size(vc, attr, false); if (size < 0) { if (written)