ZDI-CAN-22273: New Vulnerability Report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-22273: Linux Kernel USB/IP VHCI Driver Race Condition Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.1: AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Linux - Kernel

-- VULNERABILITY DETAILS ------------------------
* Version tested:6.6-rc3
* Installer file:-
* Platform tested:debian bullseye

---

### Analysis

```
race condition bug exists in the usb/ip VHCI driver
it leads to UAF on `struct usb_device`
thread 1                                                thread 2
vhci_device_reset()                             vhci_urb_enqueue()
 usb_put_dev(vdev->udev);
                                                                 usb_put_dev(vdev->udev);               // free
                                                                 vdev->udev = usb_get_dev(urb->dev);    // UAF
 vdev->udev = NULL;
```

here is the patch in order to trigger the bug more easier
```
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 37d1fc34e..7242244d7 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -11,7 +11,7 @@
 #include <linux/module.h>
 #include <linux/platform_device.h>
 #include <linux/slab.h>
-
+#include <linux/delay.h>
 #include "usbip_common.h"
 #include "vhci.h"

@@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
                                usbip_dbg_vhci_hc(
                                        "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");

+                       mdelay(200);
                        usb_put_dev(vdev->udev);
                        vdev->udev = usb_get_dev(urb->dev);
                        goto out;
@@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud)
        vdev->devid  = 0;

        usb_put_dev(vdev->udev);
+       mdelay(200);
        vdev->udev = NULL;

        if (ud->tcp_socket) {
```

KASAN report
```
==================================================================
BUG: KASAN: slab-use-after-free in kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636
Read of size 1 at addr ffff88804960a0e4 by task kworker/1:1/28

CPU: 1 PID: 28 Comm: kworker/1:1 Not tainted 6.6.0-rc3-dirty #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack /root/linux/lib/dump_stack.c:88
 dump_stack_lvl+0xd9/0x1b0 /root/linux/lib/dump_stack.c:106
 print_address_description /root/linux/mm/kasan/report.c:364
 print_report+0xc4/0x620 /root/linux/mm/kasan/report.c:475
 kasan_report+0xda/0x110 /root/linux/mm/kasan/report.c:588
 kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636
 get_device+0x22/0x30 /root/linux/drivers/base/core.c:3720
 usb_get_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:765
 vhci_urb_enqueue+0x5d2/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:786
 usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535
 usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581
 usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59
 usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103
 usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154
 get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725
 hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986
 hub_port_connect /root/linux/drivers/usb/core/hub.c:5369
 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
 port_event /root/linux/drivers/usb/core/hub.c:5740
 hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
 process_scheduled_works /root/linux/kernel/workqueue.c:2703
 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 28:
 kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52
 ____kasan_kmalloc /root/linux/mm/kasan/common.c:374
 __kasan_kmalloc+0xa3/0xb0 /root/linux/mm/kasan/common.c:383
 kmalloc /root/linux/./include/linux/slab.h:599
 kzalloc /root/linux/./include/linux/slab.h:720
 usb_alloc_dev+0x55/0xdb0 /root/linux/drivers/usb/core/usb.c:650
 hub_port_connect /root/linux/drivers/usb/core/hub.c:5343
 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
 port_event /root/linux/drivers/usb/core/hub.c:5740
 hub_event+0x2853/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
 process_scheduled_works /root/linux/kernel/workqueue.c:2703
 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304

Freed by task 28:
 kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52
 kasan_save_free_info+0x28/0x40 /root/linux/mm/kasan/generic.c:522
 ____kasan_slab_free /root/linux/mm/kasan/common.c:236
 ____kasan_slab_free+0x138/0x190 /root/linux/mm/kasan/common.c:200
 kasan_slab_free /root/linux/./include/linux/kasan.h:164
 __cache_free /root/linux/mm/slab.c:3370
 __do_kmem_cache_free /root/linux/mm/slab.c:3557
 __kmem_cache_free+0xcc/0x2d0 /root/linux/mm/slab.c:3564
 device_release+0xa1/0x240 /root/linux/drivers/base/core.c:2484
 kobject_cleanup /root/linux/lib/kobject.c:682
 kobject_release /root/linux/lib/kobject.c:716
 kref_put /root/linux/./include/linux/kref.h:65
 kobject_put+0x1d0/0x440 /root/linux/lib/kobject.c:733
 put_device+0x1f/0x30 /root/linux/drivers/base/core.c:3732
 usb_put_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:780
 vhci_urb_enqueue+0x5ac/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:785
 usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535
 usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581
 usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59
 usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103
 usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154
 get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725
 hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986
 hub_port_connect /root/linux/drivers/usb/core/hub.c:5369
 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
 port_event /root/linux/drivers/usb/core/hub.c:5740
 hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
 process_scheduled_works /root/linux/kernel/workqueue.c:2703
 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304

The buggy address belongs to the object at ffff88804960a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 228 bytes inside of
 freed 2048-byte region [ffff88804960a000, ffff88804960a800)

The buggy address belongs to the physical page:
page:ffffea0001258280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4960a
flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0x1()
raw: 04fff00000000800 ffff888012c40800 ffffea000101fb10 ffffea00011b6310
raw: 0000000000000000 ffff88804960a000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 7649, tgid 7644 (in:imklog), ts 604730580605, free_ts 603625435624
 set_page_owner /root/linux/./include/linux/page_owner.h:31
 post_alloc_hook+0x2cf/0x340 /root/linux/mm/page_alloc.c:1536
 prep_new_page /root/linux/mm/page_alloc.c:1543
 get_page_from_freelist+0xee0/0x2f20 /root/linux/mm/page_alloc.c:3170
 __alloc_pages+0x1d0/0x4a0 /root/linux/mm/page_alloc.c:4426
 __alloc_pages_node /root/linux/./include/linux/gfp.h:237
 kmem_getpages /root/linux/mm/slab.c:1356
 cache_grow_begin+0x99/0x3a0 /root/linux/mm/slab.c:2550
 cache_alloc_refill+0x294/0x3a0 /root/linux/mm/slab.c:2923
 ____cache_alloc /root/linux/mm/slab.c:2999
 ____cache_alloc /root/linux/mm/slab.c:2982
 __do_cache_alloc /root/linux/mm/slab.c:3182
 slab_alloc_node /root/linux/mm/slab.c:3230
 __kmem_cache_alloc_node+0x3c5/0x470 /root/linux/mm/slab.c:3521
 kmalloc_trace+0x25/0xe0 /root/linux/mm/slab_common.c:1114
 kmalloc /root/linux/./include/linux/slab.h:599
 syslog_print+0xf9/0x5d0 /root/linux/kernel/printk/printk.c:1553
 do_syslog+0x2d4/0x580 /root/linux/kernel/printk/printk.c:1732
 kmsg_read+0x93/0xc0 /root/linux/fs/proc/kmsg.c:37
 pde_read /root/linux/fs/proc/inode.c:316
 proc_reg_read+0x123/0x330 /root/linux/fs/proc/inode.c:326
 vfs_read+0x1ce/0x930 /root/linux/fs/read_write.c:468
 ksys_read+0x12f/0x250 /root/linux/fs/read_write.c:613
 do_syscall_x64 /root/linux/arch/x86/entry/common.c:50
 do_syscall_64+0x38/0xb0 /root/linux/arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd /root/linux/arch/x86/entry/entry_64.S:120
page last free stack trace:
 reset_page_owner /root/linux/./include/linux/page_owner.h:24
 free_pages_prepare /root/linux/mm/page_alloc.c:1136
 free_unref_page_prepare+0x476/0xa40 /root/linux/mm/page_alloc.c:2312
 free_unref_page+0x33/0x3b0 /root/linux/mm/page_alloc.c:2405
 slab_destroy /root/linux/mm/slab.c:1608
 slabs_destroy+0x85/0xc0 /root/linux/mm/slab.c:1628
 cache_flusharray /root/linux/mm/slab.c:3341
 ___cache_free+0x2b7/0x420 /root/linux/mm/slab.c:3404
 qlink_free /root/linux/mm/kasan/quarantine.c:166
 qlist_free_all+0x4c/0x1b0 /root/linux/mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x18e/0x1d0 /root/linux/mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x65/0x90 /root/linux/mm/kasan/common.c:305
 kasan_slab_alloc /root/linux/./include/linux/kasan.h:188
 slab_post_alloc_hook /root/linux/mm/slab.h:762
 slab_alloc_node /root/linux/mm/slab.c:3237
 __kmem_cache_alloc_node+0x163/0x470 /root/linux/mm/slab.c:3521
 __do_kmalloc_node /root/linux/mm/slab_common.c:1022
 __kmalloc_node+0x52/0x110 /root/linux/mm/slab_common.c:1030
 kmalloc_node /root/linux/./include/linux/slab.h:619
 __vmalloc_area_node /root/linux/mm/vmalloc.c:3125
 __vmalloc_node_range+0x3e9/0x1540 /root/linux/mm/vmalloc.c:3320
 alloc_thread_stack_node /root/linux/kernel/fork.c:309
 dup_task_struct /root/linux/kernel/fork.c:1118
 copy_process+0x13e3/0x73f0 /root/linux/kernel/fork.c:2327
 kernel_clone+0xfd/0x920 /root/linux/kernel/fork.c:2909
 kernel_thread+0xc0/0x100 /root/linux/kernel/fork.c:2971
 create_kthread /root/linux/kernel/kthread.c:411
 kthreadd+0x4fb/0x7d0 /root/linux/kernel/kthread.c:746
 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304

Memory state around the buggy address:
 ffff888049609f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804960a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804960a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88804960a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804960a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:


If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@xxxxxxxxxxxxxx

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>

<<attachment: ZDI-CAN-22273.zip>>


[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux