cve/published/2022/CVE-2022-49465.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 blk-throttle: Set BIO_THROTTLED when bio has been throttled

 1.In current process, all bio will set the BIO_THROTTLED flag
 after __blk_throtl_bio().

 2.If bio needs to be throttled, it will start the timer and
 stop submit bio directly. Bio will submit in
 blk_throtl_dispatch_work_fn() when the timer expires.But in
 the current process, if bio is throttled. The BIO_THROTTLED
 will be set to bio after timer start. If the bio has been
 completed, it may cause use-after-free blow.

 BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
 Read of size 2 at addr ffff88801b8902d4 by task fio/26380

  dump_stack+0x9b/0xce
  print_address_description.constprop.6+0x3e/0x60
  kasan_report.cold.9+0x22/0x3a
  blk_throtl_bio+0x12f0/0x2c70
  submit_bio_checks+0x701/0x1550
  submit_bio_noacct+0x83/0xc80
  submit_bio+0xa7/0x330
  mpage_readahead+0x380/0x500
  read_pages+0x1c1/0xbf0
  page_cache_ra_unbounded+0x471/0x6f0
  do_page_cache_ra+0xda/0x110
  ondemand_readahead+0x442/0xae0
  page_cache_async_ra+0x210/0x300
  generic_file_buffered_read+0x4d9/0x2130
  generic_file_read_iter+0x315/0x490
  blkdev_read_iter+0x113/0x1b0
  aio_read+0x2ad/0x450
  io_submit_one+0xc8e/0x1d60
  __se_sys_io_submit+0x125/0x350
  do_syscall_64+0x2d/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Allocated by task 26380:
  kasan_save_stack+0x19/0x40
  __kasan_kmalloc.constprop.2+0xc1/0xd0
  kmem_cache_alloc+0x146/0x440
  mempool_alloc+0x125/0x2f0
  bio_alloc_bioset+0x353/0x590
  mpage_alloc+0x3b/0x240
  do_mpage_readpage+0xddf/0x1ef0
  mpage_readahead+0x264/0x500
  read_pages+0x1c1/0xbf0
  page_cache_ra_unbounded+0x471/0x6f0
  do_page_cache_ra+0xda/0x110
  ondemand_readahead+0x442/0xae0
  page_cache_async_ra+0x210/0x300
  generic_file_buffered_read+0x4d9/0x2130
  generic_file_read_iter+0x315/0x490
  blkdev_read_iter+0x113/0x1b0
  aio_read+0x2ad/0x450
  io_submit_one+0xc8e/0x1d60
  __se_sys_io_submit+0x125/0x350
  do_syscall_64+0x2d/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Freed by task 0:
  kasan_save_stack+0x19/0x40
  kasan_set_track+0x1c/0x30
  kasan_set_free_info+0x1b/0x30
  __kasan_slab_free+0x111/0x160
  kmem_cache_free+0x94/0x460
  mempool_free+0xd6/0x320
  bio_free+0xe0/0x130
  bio_put+0xab/0xe0
  bio_endio+0x3a6/0x5d0
  blk_update_request+0x590/0x1370
  scsi_end_request+0x7d/0x400
  scsi_io_completion+0x1aa/0xe50
  scsi_softirq_done+0x11b/0x240
  blk_mq_complete_request+0xd4/0x120
  scsi_mq_done+0xf0/0x200
  virtscsi_vq_done+0xbc/0x150
  vring_interrupt+0x179/0x390
  __handle_irq_event_percpu+0xf7/0x490
  handle_irq_event_percpu+0x7b/0x160
  handle_irq_event+0xcc/0x170
  handle_edge_irq+0x215/0xb20
  common_interrupt+0x60/0x120
  asm_common_interrupt+0x1e/0x40

 Fix this by move BIO_THROTTLED set into the queue_lock.

 The Linux kernel CVE team has assigned CVE-2022-49465 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.17.14 with commit 0cfc8a0fb07cde61915e4a77c4794c47de3114a4
 	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.18.3 with commit 935fa666534d7b7185e8c6b0191cd06281be4290
 	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.19 with commit 5a011f889b4832aa80c2a872a5aade5c48d2756f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49465
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	block/blk-throttle.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4
 	https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290
 	https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	blk-throttle: Set BIO_THROTTLED when bio has been throttled

	1.In current process, all bio will set the BIO_THROTTLED flag
	after __blk_throtl_bio().

	2.If bio needs to be throttled, it will start the timer and
	stop submit bio directly. Bio will submit in
	blk_throtl_dispatch_work_fn() when the timer expires.But in
	the current process, if bio is throttled. The BIO_THROTTLED
	will be set to bio after timer start. If the bio has been
	completed, it may cause use-after-free blow.

	BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
	Read of size 2 at addr ffff88801b8902d4 by task fio/26380

	dump_stack+0x9b/0xce
	print_address_description.constprop.6+0x3e/0x60
	kasan_report.cold.9+0x22/0x3a
	blk_throtl_bio+0x12f0/0x2c70
	submit_bio_checks+0x701/0x1550
	submit_bio_noacct+0x83/0xc80
	submit_bio+0xa7/0x330
	mpage_readahead+0x380/0x500
	read_pages+0x1c1/0xbf0
	page_cache_ra_unbounded+0x471/0x6f0
	do_page_cache_ra+0xda/0x110
	ondemand_readahead+0x442/0xae0
	page_cache_async_ra+0x210/0x300
	generic_file_buffered_read+0x4d9/0x2130
	generic_file_read_iter+0x315/0x490
	blkdev_read_iter+0x113/0x1b0
	aio_read+0x2ad/0x450
	io_submit_one+0xc8e/0x1d60
	__se_sys_io_submit+0x125/0x350
	do_syscall_64+0x2d/0x40
	entry_SYSCALL_64_after_hwframe+0x44/0xa9

	Allocated by task 26380:
	kasan_save_stack+0x19/0x40
	__kasan_kmalloc.constprop.2+0xc1/0xd0
	kmem_cache_alloc+0x146/0x440
	mempool_alloc+0x125/0x2f0
	bio_alloc_bioset+0x353/0x590
	mpage_alloc+0x3b/0x240
	do_mpage_readpage+0xddf/0x1ef0
	mpage_readahead+0x264/0x500
	read_pages+0x1c1/0xbf0
	page_cache_ra_unbounded+0x471/0x6f0
	do_page_cache_ra+0xda/0x110
	ondemand_readahead+0x442/0xae0
	page_cache_async_ra+0x210/0x300
	generic_file_buffered_read+0x4d9/0x2130
	generic_file_read_iter+0x315/0x490
	blkdev_read_iter+0x113/0x1b0
	aio_read+0x2ad/0x450
	io_submit_one+0xc8e/0x1d60
	__se_sys_io_submit+0x125/0x350
	do_syscall_64+0x2d/0x40
	entry_SYSCALL_64_after_hwframe+0x44/0xa9

	Freed by task 0:
	kasan_save_stack+0x19/0x40
	kasan_set_track+0x1c/0x30
	kasan_set_free_info+0x1b/0x30
	__kasan_slab_free+0x111/0x160
	kmem_cache_free+0x94/0x460
	mempool_free+0xd6/0x320
	bio_free+0xe0/0x130
	bio_put+0xab/0xe0
	bio_endio+0x3a6/0x5d0
	blk_update_request+0x590/0x1370
	scsi_end_request+0x7d/0x400
	scsi_io_completion+0x1aa/0xe50
	scsi_softirq_done+0x11b/0x240
	blk_mq_complete_request+0xd4/0x120
	scsi_mq_done+0xf0/0x200
	virtscsi_vq_done+0xbc/0x150
	vring_interrupt+0x179/0x390
	__handle_irq_event_percpu+0xf7/0x490
	handle_irq_event_percpu+0x7b/0x160
	handle_irq_event+0xcc/0x170
	handle_edge_irq+0x215/0xb20
	common_interrupt+0x60/0x120
	asm_common_interrupt+0x1e/0x40

	Fix this by move BIO_THROTTLED set into the queue_lock.

	The Linux kernel CVE team has assigned CVE-2022-49465 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.17.14 with commit 0cfc8a0fb07cde61915e4a77c4794c47de3114a4
	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.18.3 with commit 935fa666534d7b7185e8c6b0191cd06281be4290
	Issue introduced in 3.11 with commit 2a0f61e6ecd08d260054bde4b096ff207ce5350f and fixed in 5.19 with commit 5a011f889b4832aa80c2a872a5aade5c48d2756f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49465
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	block/blk-throttle.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4
	https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290
	https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f