cve/published/2021/CVE-2021-47634.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47634: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

Hulk Robot reported a KASAN report about use-after-free:
 ==================================================================
 BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160
 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385
 [...]
 Call Trace:
  klist_dec_and_del+0xa7/0x4a0
  klist_put+0xc7/0x1a0
  device_del+0x4d4/0xed0
  cdev_device_del+0x1a/0x80
  ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]
  ctrl_cdev_ioctl+0x286/0x2f0 [ubi]

 Allocated by task 1414:
  device_add+0x60a/0x18b0
  cdev_device_add+0x103/0x170
  ubi_create_volume+0x1118/0x1a10 [ubi]
  ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]

 Freed by task 1385:
  cdev_device_del+0x1a/0x80
  ubi_remove_volume+0x438/0x6c0 [ubi]
  ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]
 [...]
 ==================================================================

The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held
by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be
concurrent.

ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.
ubi_detach is bug-free because it uses reference counting to prevent
concurrency. However, uif_init and uif_close in ubi_attach may race with
ubi_cdev_ioctl.

uif_init will race with ubi_cdev_ioctl as in the following stack.
           cpu1                   cpu2                  cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl
 ubi_attach_mtd_dev
  uif_init
                           ubi_cdev_ioctl
                            ubi_create_volume
                             cdev_device_add
   ubi_add_volume
   // sysfs exist
   kill_volumes
                                                    ubi_cdev_ioctl
                                                     ubi_remove_volume
                                                      cdev_device_del
                                                       // first free
    ubi_free_volume
     cdev_del
     // double free
   cdev_device_del

And uif_close will race with ubi_cdev_ioctl as in the following stack.
           cpu1                   cpu2                  cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl
 ubi_attach_mtd_dev
  uif_init
                           ubi_cdev_ioctl
                            ubi_create_volume
                             cdev_device_add
  ubi_debugfs_init_dev
  //error goto out_uif;
  uif_close
   kill_volumes
                                                    ubi_cdev_ioctl
                                                     ubi_remove_volume
                                                      cdev_device_del
                                                       // first free
    ubi_free_volume
    // double free

The cause of this problem is that commit 714fb87e8bc0 make device
"available" before it becomes accessible via sysfs. Therefore, we
roll back the modification. We will fix the race condition between
ubi device creation and udev by removing ubi_get_device in
vol_attribute_show and dev_attribute_show.This avoids accessing
uninitialized ubi_devices[ubi_num].

ubi_get_device is used to prevent devices from being deleted during
sysfs execution. However, now kernfs ensures that devices will not
be deleted before all reference counting are released.
The key process is shown in the following stack.

device_del
  device_remove_attrs
    device_remove_groups
      sysfs_remove_groups
        sysfs_remove_group
          remove_files
            kernfs_remove_by_name
              kernfs_remove_by_name_ns
                __kernfs_remove
                  kernfs_drain

The Linux kernel CVE team has assigned CVE-2021-47634 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 4.14.276 with commit f149b1bd213820363731aa119e5011ca892a2aac
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 4.19.238 with commit a8ecee49259f8f78d91ddb329ab2be7e6fd01974
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.4.189 with commit d727fd32cbd1abf3465f607021bc9c746f17b5a8
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.10.110 with commit 432b057f8e847ae5a2306515606f8d2defaca178
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.15.33 with commit 1a3f1cf87054833242fcd0218de0481cf855f888
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.16.19 with commit c32fe764191b8ae8b128588beb96e3718d9179d8
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.17.2 with commit 5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b
	Issue introduced in 4.8 with commit 714fb87e8bc05ff78255afc0dca981e8c5242785 and fixed in 5.18 with commit 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e
	Issue introduced in 3.2.84 with commit 016820bde3f0895d09fcad370415085ba0d1bd4a
	Issue introduced in 3.10.103 with commit 12f567db822241090b90c5645ea9146f6cf8fa42
	Issue introduced in 3.12.63 with commit 31b0fca8ab9b9786fe6e5027c4a8587b47db5abf
	Issue introduced in 3.14.77 with commit 6117840dec60344167038f9511c3770d4c096eaa
	Issue introduced in 3.16.39 with commit bd7d3de27e7e1acce2e276074a498a82e0834663
	Issue introduced in 3.18.40 with commit cdf25333b42fb889f086ef65d0734d0dbdc49f4e
	Issue introduced in 4.1.31 with commit ae32d1b98ba29408df87c0ed47877ca0f248eae7
	Issue introduced in 4.4.19 with commit 4056337b1e81a1b137aa562133dc5430cd2fd19e
	Issue introduced in 4.7.2 with commit f3db4c640b32485105554e0bfd16bbde585f6fb0

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47634
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/mtd/ubi/build.c
	drivers/mtd/ubi/vmt.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac
	https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974
	https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8
	https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178
	https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888
	https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8
	https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b
	https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e