UAF bug caused by rose_t0timer_expiry
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
In Progress
|
Low
|
Cengiz Can | ||
Xenial |
In Progress
|
Low
|
Cengiz Can | ||
Bionic |
In Progress
|
Low
|
Cengiz Can | ||
Focal |
In Progress
|
Low
|
Cengiz Can | ||
Jammy |
In Progress
|
Low
|
Cengiz Can | ||
Kinetic |
Won't Fix
|
Low
|
Cengiz Can |
Bug Description
There are UAF bugs in rose_heartbeat_
and rose_idletimer_
could not stop the timer handler that is running and the refcount
of sock is not managed properly.
One of the UAF bugs is shown below:
(thread 1) | (thread 2)
rose_release | (wait a time)
case ROSE_STATE_0 |
rose_
rose_
sock_put(sk) | ...
sock_put(sk) // FREE |
The sock is deallocated by sock_put() in rose_release() and
then used by bh_lock_sock() in rose_heartbeat_
Although rose_destroy_
it could not stop the timer that is running.
The KASAN report triggered by POC is shown below:
BUG: KASAN: use-after-free in _raw_spin_
Write of size 4 at addr ffff88800ae59098 by task swapper/3/0
...
Call Trace:
<IRQ>
dump_stack_
print_
print_
? irq_work_
? _raw_spin_
kasan_
? _raw_spin_
kasan_
_raw_spin_
rose_heartbeat
? rose_start_
call_timer_
? rose_start_
expire_
__run_
run_timer_
__do_softirq+
irq_exit_
sysvec_
</IRQ>
<TASK>
asm_sysvec_
RIP: 0010:default_
RSP: 0018:ffffc90000
RAX: 000000000000bcae RBX: ffff888006660f00 RCX: 000000000000bcae
RDX: 0000000000000001 RSI: ffffffff843a11c0 RDI: ffffffff843a1180
RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed100da36d46
R10: dfffe9100da36d47 R11: ffffffff83cf0950 R12: 0000000000000000
R13: 1ffff11000ccc1e0 R14: ffffffff8542af28 R15: dffffc0000000000
...
Allocated by task 146:
__kasan_
sk_prot_
sk_alloc+
rose_create+
__sock_
__sys_
__x64_
do_syscall_
entry_
Freed by task 152:
kasan_
kasan_
____kasan_
kfree+0xd3/0x270
__sk_destruct+
rose_release+
sock_close+
__fput+0x2d9/0x650
task_work_
exit_to_
exit_to_
syscall_
do_syscall_
entry_
Changed in linux (Ubuntu Kinetic): | |
importance: | High → Low |
Changed in linux (Ubuntu Jammy): | |
importance: | High → Low |
Changed in linux (Ubuntu Focal): | |
importance: | High → Low |
Changed in linux (Ubuntu Bionic): | |
importance: | High → Low |
Changed in linux (Ubuntu Xenial): | |
importance: | High → Low |
This fix landed on upstream with 148ca0451807091 0739dfc4eeda765 057856403d