fkie_cve-2022-48913
Vulnerability from fkie_nvd
Published
2024-08-22 02:15
Modified
2024-08-27 16:12
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK> Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/30939293262eb433c960c4532a0d59c4073b2b84Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6418634238ade86f2b08192928787f39d8afb58cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/78acc7dbd84a8c173a08584750845c31611160f2Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0124F44D-3165-4025-A6AD-1C47145E6B2A",
              "versionEndExcluding": "5.15.27",
              "versionStartIncluding": "5.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B871B667-EDC0-435D-909E-E918D8D90995",
              "versionEndExcluding": "5.16.13",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix use after free for struct blk_trace\n\nWhen tracing the whole disk, \u0027dropped\u0027 and \u0027msg\u0027 will be created\nunder \u0027q-\u003edebugfs_dir\u0027 and \u0027bt-\u003edir\u0027 is NULL, thus blk_trace_free()\nwon\u0027t remove those files. What\u0027s worse, the following UAF can be\ntriggered because of accessing stale \u0027dropped\u0027 and \u0027msg\u0027:\n\n==================================================================\nBUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100\nRead of size 4 at addr ffff88816912f3d8 by task blktrace/1188\n\nCPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_address_description.constprop.0.cold+0xab/0x381\n ? blk_dropped_read+0x89/0x100\n ? blk_dropped_read+0x89/0x100\n kasan_report.cold+0x83/0xdf\n ? blk_dropped_read+0x89/0x100\n kasan_check_range+0x140/0x1b0\n blk_dropped_read+0x89/0x100\n ? blk_create_buf_file_callback+0x20/0x20\n ? kmem_cache_free+0xa1/0x500\n ? do_sys_openat2+0x258/0x460\n full_proxy_read+0x8f/0xc0\n vfs_read+0xc6/0x260\n ksys_read+0xb9/0x150\n ? vfs_write+0x3d0/0x3d0\n ? fpregs_assert_state_consistent+0x55/0x60\n ? exit_to_user_mode_prepare+0x39/0x1e0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fbc080d92fd\nCode: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1\nRSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd\nRDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045\nRBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd\nR10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0\nR13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8\n \u003c/TASK\u003e\n\nAllocated by task 1050:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n do_blk_trace_setup+0xcb/0x410\n __blk_trace_setup+0xac/0x130\n blk_trace_ioctl+0xe9/0x1c0\n blkdev_ioctl+0xf1/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFreed by task 1050:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x103/0x180\n kfree+0x9a/0x4c0\n __blk_trace_remove+0x53/0x70\n blk_trace_ioctl+0x199/0x1c0\n blkdev_common_ioctl+0x5e9/0xb30\n blkdev_ioctl+0x1a5/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe buggy address belongs to the object at ffff88816912f380\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 88 bytes inside of\n 96-byte region [ffff88816912f380, ffff88816912f3e0)\nThe buggy address belongs to the page:\npage:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f\nflags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780\nraw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\u003effff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n=================================================================="
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blktrace: corrige el use after free para struct blk_trace Al rastrear todo el disco, se crear\u00e1n \u0027dropped\u0027 y \u0027msg\u0027 en \u0027q-\u0026gt;debugfs_dir\u0027 y \u0027bt-\u0026gt;dir \u0027 es NULL, por lo tanto blk_trace_free() no eliminar\u00e1 esos archivos. Lo que es peor, el siguiente UAF se puede activar debido al acceso a \u0027soltado\u0027 y \u0027msg\u0027 obsoletos: ============================== ===================================== ERROR: KASAN: use after free en blk_dropped_read+0x89 /0x100 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff88816912f3d8 por tarea blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) , BIOS ?-20190727_073836-4 Seguimiento de llamadas:  dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0? fpregs_assert_state_consistent+0x55/0x60? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd C\u00f3digo: ce 20 00 00 75 10 b8 00 00 00 00 0f 5 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b :00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 R SI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8  Asignado por tarea 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 e9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35 /0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae Liberado por la tarea 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c 0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9 /0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae La direcci\u00f3n con errores pertenece al objeto en ffff88816912f380 que pertenece al cach\u00e9 kmalloc- 96 de tama\u00f1o 96 La direcci\u00f3n del error se encuentra 88 bytes dentro de regi\u00f3n de 96 bytes [ffff88816912f380, ffff88816912f3e0) La direcci\u00f3n con errores pertenece a la p\u00e1gina: p\u00e1gina:000000009a1b4e7c refcount:1 mapcount:0 mapeo:00000000000000000 \u00edndice:0x0f banderas: 0x17ffffc0000200(slab|node= 0|zona=2|\u00faltimopupid=0x1fffff ) sin procesar: 0017ffffc0000200 ffffea00044f1100 muerto000000000002 ffff88810004c780 sin procesar: 0000000000000000 0000000000200020 00000001ffffffff 000000000000 0000 p\u00e1gina volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la direcci\u00f3n con errores: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc \u0026gt;ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc =============================== ======================================="
    }
  ],
  "id": "CVE-2022-48913",
  "lastModified": "2024-08-27T16:12:58.620",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-22T02:15:05.613",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/30939293262eb433c960c4532a0d59c4073b2b84"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6418634238ade86f2b08192928787f39d8afb58c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/78acc7dbd84a8c173a08584750845c31611160f2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.