cve/published/2022/CVE-2022-48857.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48857: NFC: port100: fix use-after-free in port100_send_complete

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 NFC: port100: fix use-after-free in port100_send_complete

 Syzbot reported UAF in port100_send_complete(). The root case is in
 missing usb_kill_urb() calls on error handling path of ->probe function.

 port100_send_complete() accesses devm allocated memory which will be
 freed on probe failure. We should kill this urbs before returning an
 error from probe function to prevent reported use-after-free

 Fail log:

 BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
 ...
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
  __kasan_report mm/kasan/report.c:442 [inline]
  kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
  port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
  __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670

 ...

 Allocated by task 1255:
  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
  kasan_set_track mm/kasan/common.c:45 [inline]
  set_alloc_info mm/kasan/common.c:436 [inline]
  ____kasan_kmalloc mm/kasan/common.c:515 [inline]
  ____kasan_kmalloc mm/kasan/common.c:474 [inline]
  __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
  alloc_dr drivers/base/devres.c:116 [inline]
  devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
  devm_kzalloc include/linux/device.h:209 [inline]
  port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502

 Freed by task 1255:
  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
  kasan_set_track+0x21/0x30 mm/kasan/common.c:45
  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
  ____kasan_slab_free mm/kasan/common.c:366 [inline]
  ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
  kasan_slab_free include/linux/kasan.h:236 [inline]
  __cache_free mm/slab.c:3437 [inline]
  kfree+0xf8/0x2b0 mm/slab.c:3794
  release_nodes+0x112/0x1a0 drivers/base/devres.c:501
  devres_release_all+0x114/0x190 drivers/base/devres.c:530
  really_probe+0x626/0xcc0 drivers/base/dd.c:670

 The Linux kernel CVE team has assigned CVE-2022-48857 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.9.307 with commit 205c4ec78e71cbf561794e6043da80e7bae6790f
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.14.272 with commit 32e866ae5a7af590597ef4bcff8451bf96d5f980
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.19.235 with commit b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.4.185 with commit cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.10.106 with commit 2b1c85f56512d49e43bc53741fce2f508cd90029
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.15.29 with commit 0e721b8f2ee5e11376dd55363f9ccb539d754b8a
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.16.15 with commit 7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
 	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.17 with commit f80cfe2f26581f188429c12bd937eb905ad3ac7b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48857
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/nfc/port100.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f
 	https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980
 	https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
 	https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
 	https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029
 	https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a
 	https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
 	https://git.kernel.org/stable/c/f80cfe2f26581f188429c12bd937eb905ad3ac7b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48857: NFC: port100: fix use-after-free in port100_send_complete

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	NFC: port100: fix use-after-free in port100_send_complete

	Syzbot reported UAF in port100_send_complete(). The root case is in
	missing usb_kill_urb() calls on error handling path of ->probe function.

	port100_send_complete() accesses devm allocated memory which will be
	freed on probe failure. We should kill this urbs before returning an
	error from probe function to prevent reported use-after-free

	Fail log:

	BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
	Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
	...
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
	__kasan_report mm/kasan/report.c:442 [inline]
	kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
	port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
	__usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670

	...

	Allocated by task 1255:
	kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
	kasan_set_track mm/kasan/common.c:45 [inline]
	set_alloc_info mm/kasan/common.c:436 [inline]
	____kasan_kmalloc mm/kasan/common.c:515 [inline]
	____kasan_kmalloc mm/kasan/common.c:474 [inline]
	__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
	alloc_dr drivers/base/devres.c:116 [inline]
	devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
	devm_kzalloc include/linux/device.h:209 [inline]
	port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502

	Freed by task 1255:
	kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
	kasan_set_track+0x21/0x30 mm/kasan/common.c:45
	kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
	____kasan_slab_free mm/kasan/common.c:366 [inline]
	____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
	kasan_slab_free include/linux/kasan.h:236 [inline]
	__cache_free mm/slab.c:3437 [inline]
	kfree+0xf8/0x2b0 mm/slab.c:3794
	release_nodes+0x112/0x1a0 drivers/base/devres.c:501
	devres_release_all+0x114/0x190 drivers/base/devres.c:530
	really_probe+0x626/0xcc0 drivers/base/dd.c:670

	The Linux kernel CVE team has assigned CVE-2022-48857 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.9.307 with commit 205c4ec78e71cbf561794e6043da80e7bae6790f
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.14.272 with commit 32e866ae5a7af590597ef4bcff8451bf96d5f980
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 4.19.235 with commit b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.4.185 with commit cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.10.106 with commit 2b1c85f56512d49e43bc53741fce2f508cd90029
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.15.29 with commit 0e721b8f2ee5e11376dd55363f9ccb539d754b8a
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.16.15 with commit 7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
	Issue introduced in 3.13 with commit 0347a6ab300a1532c298823408d6e51ccf4e4f45 and fixed in 5.17 with commit f80cfe2f26581f188429c12bd937eb905ad3ac7b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48857
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/nfc/port100.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f
	https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980
	https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
	https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
	https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029
	https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a
	https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
	https://git.kernel.org/stable/c/f80cfe2f26581f188429c12bd937eb905ad3ac7b