cve/published/2022/CVE-2022-48983.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48983: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

 Syzkaller reports a NULL deref bug as follows:

  BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
  Read of size 4 at addr 0000000000000138 by task file1/1955

  CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0xcd/0x134
   ? io_tctx_exit_cb+0x53/0xd3
   kasan_report+0xbb/0x1f0
   ? io_tctx_exit_cb+0x53/0xd3
   kasan_check_range+0x140/0x190
   io_tctx_exit_cb+0x53/0xd3
   task_work_run+0x164/0x250
   ? task_work_cancel+0x30/0x30
   get_signal+0x1c3/0x2440
   ? lock_downgrade+0x6e0/0x6e0
   ? lock_downgrade+0x6e0/0x6e0
   ? exit_signals+0x8b0/0x8b0
   ? do_raw_read_unlock+0x3b/0x70
   ? do_raw_spin_unlock+0x50/0x230
   arch_do_signal_or_restart+0x82/0x2470
   ? kmem_cache_free+0x260/0x4b0
   ? putname+0xfe/0x140
   ? get_sigframe_size+0x10/0x10
   ? do_execveat_common.isra.0+0x226/0x710
   ? lockdep_hardirqs_on+0x79/0x100
   ? putname+0xfe/0x140
   ? do_execveat_common.isra.0+0x238/0x710
   exit_to_user_mode_prepare+0x15f/0x250
   syscall_exit_to_user_mode+0x19/0x50
   do_syscall_64+0x42/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0023:0x0
  Code: Unable to access opcode bytes at 0xffffffffffffffd6.
  RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
   </TASK>
  Kernel panic - not syncing: panic_on_warn set ...

 This happens because the adding of task_work from io_ring_exit_work()
 isn't synchronized with canceling all work items from eg exec. The
 execution of the two are ordered in that they are both run by the task
 itself, but if io_tctx_exit_cb() is queued while we're canceling all
 work items off exec AND gets executed when the task exits to userspace
 rather than in the main loop in io_uring_cancel_generic(), then we can
 find current->io_uring == NULL and hit the above crash.

 It's safe to add this NULL check here, because the execution of the two
 paths are done by the task itself.

 [axboe: add code comment and also put an explanation in the commit msg]

 The Linux kernel CVE team has assigned CVE-2022-48983 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 5.15.83 with commit f895511de9d27fff71dad2c234ad53b4afd2b06c
 	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 6.0.13 with commit d91edca1943453aaaba4f380f6f364346222e5cf
 	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 6.1 with commit 998b30c3948e4d0b1097e639918c5cff332acac5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48983
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	io_uring/io_uring.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c
 	https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf
 	https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48983: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

	Syzkaller reports a NULL deref bug as follows:

	BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
	Read of size 4 at addr 0000000000000138 by task file1/1955

	CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
	Call Trace:
	<TASK>
	dump_stack_lvl+0xcd/0x134
	? io_tctx_exit_cb+0x53/0xd3
	kasan_report+0xbb/0x1f0
	? io_tctx_exit_cb+0x53/0xd3
	kasan_check_range+0x140/0x190
	io_tctx_exit_cb+0x53/0xd3
	task_work_run+0x164/0x250
	? task_work_cancel+0x30/0x30
	get_signal+0x1c3/0x2440
	? lock_downgrade+0x6e0/0x6e0
	? lock_downgrade+0x6e0/0x6e0
	? exit_signals+0x8b0/0x8b0
	? do_raw_read_unlock+0x3b/0x70
	? do_raw_spin_unlock+0x50/0x230
	arch_do_signal_or_restart+0x82/0x2470
	? kmem_cache_free+0x260/0x4b0
	? putname+0xfe/0x140
	? get_sigframe_size+0x10/0x10
	? do_execveat_common.isra.0+0x226/0x710
	? lockdep_hardirqs_on+0x79/0x100
	? putname+0xfe/0x140
	? do_execveat_common.isra.0+0x238/0x710
	exit_to_user_mode_prepare+0x15f/0x250
	syscall_exit_to_user_mode+0x19/0x50
	do_syscall_64+0x42/0xb0
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	RIP: 0023:0x0
	Code: Unable to access opcode bytes at 0xffffffffffffffd6.
	RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
	RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
	</TASK>
	Kernel panic - not syncing: panic_on_warn set ...

	This happens because the adding of task_work from io_ring_exit_work()
	isn't synchronized with canceling all work items from eg exec. The
	execution of the two are ordered in that they are both run by the task
	itself, but if io_tctx_exit_cb() is queued while we're canceling all
	work items off exec AND gets executed when the task exits to userspace
	rather than in the main loop in io_uring_cancel_generic(), then we can
	find current->io_uring == NULL and hit the above crash.

	It's safe to add this NULL check here, because the execution of the two
	paths are done by the task itself.

	[axboe: add code comment and also put an explanation in the commit msg]

	The Linux kernel CVE team has assigned CVE-2022-48983 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 5.15.83 with commit f895511de9d27fff71dad2c234ad53b4afd2b06c
	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 6.0.13 with commit d91edca1943453aaaba4f380f6f364346222e5cf
	Issue introduced in 5.12 with commit d56d938b4bef3e1421a42023cdcd6e13c1f50831 and fixed in 6.1 with commit 998b30c3948e4d0b1097e639918c5cff332acac5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48983
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	io_uring/io_uring.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c
	https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf
	https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5