Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48913

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
22/08/2024
Last modified:
27/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blktrace: fix use after free for struct blk_trace<br /> <br /> When tracing the whole disk, &amp;#39;dropped&amp;#39; and &amp;#39;msg&amp;#39; will be created<br /> under &amp;#39;q-&gt;debugfs_dir&amp;#39; and &amp;#39;bt-&gt;dir&amp;#39; is NULL, thus blk_trace_free()<br /> won&amp;#39;t remove those files. What&amp;#39;s worse, the following UAF can be<br /> triggered because of accessing stale &amp;#39;dropped&amp;#39; and &amp;#39;msg&amp;#39;:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100<br /> Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188<br /> <br /> CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_address_description.constprop.0.cold+0xab/0x381<br /> ? blk_dropped_read+0x89/0x100<br /> ? blk_dropped_read+0x89/0x100<br /> kasan_report.cold+0x83/0xdf<br /> ? blk_dropped_read+0x89/0x100<br /> kasan_check_range+0x140/0x1b0<br /> blk_dropped_read+0x89/0x100<br /> ? blk_create_buf_file_callback+0x20/0x20<br /> ? kmem_cache_free+0xa1/0x500<br /> ? do_sys_openat2+0x258/0x460<br /> full_proxy_read+0x8f/0xc0<br /> vfs_read+0xc6/0x260<br /> ksys_read+0xb9/0x150<br /> ? vfs_write+0x3d0/0x3d0<br /> ? fpregs_assert_state_consistent+0x55/0x60<br /> ? exit_to_user_mode_prepare+0x39/0x1e0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fbc080d92fd<br /> Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1<br /> RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000<br /> RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd<br /> RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045<br /> RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd<br /> R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0<br /> R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8<br /> <br /> <br /> Allocated by task 1050:<br /> kasan_save_stack+0x1e/0x40<br /> __kasan_kmalloc+0x81/0xa0<br /> do_blk_trace_setup+0xcb/0x410<br /> __blk_trace_setup+0xac/0x130<br /> blk_trace_ioctl+0xe9/0x1c0<br /> blkdev_ioctl+0xf1/0x390<br /> __x64_sys_ioctl+0xa5/0xe0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Freed by task 1050:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> kasan_set_free_info+0x20/0x30<br /> __kasan_slab_free+0x103/0x180<br /> kfree+0x9a/0x4c0<br /> __blk_trace_remove+0x53/0x70<br /> blk_trace_ioctl+0x199/0x1c0<br /> blkdev_common_ioctl+0x5e9/0xb30<br /> blkdev_ioctl+0x1a5/0x390<br /> __x64_sys_ioctl+0xa5/0xe0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The buggy address belongs to the object at ffff88816912f380<br /> which belongs to the cache kmalloc-96 of size 96<br /> The buggy address is located 88 bytes inside of<br /> 96-byte region [ffff88816912f380, ffff88816912f3e0)<br /> The buggy address belongs to the page:<br /> page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f<br /> flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)<br /> raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780<br /> raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> &gt;ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ^<br /> ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> ==================================================================

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.12 (including) 5.15.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.13 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools