cve/published/2022/CVE-2022-49892.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49892: ftrace: Fix use-after-free for dynamic ftrace_ops

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ftrace: Fix use-after-free for dynamic ftrace_ops

 KASAN reported a use-after-free with ftrace ops [1]. It was found from
 vmcore that perf had registered two ops with the same content
 successively, both dynamic. After unregistering the second ops, a
 use-after-free occurred.

 In ftrace_shutdown(), when the second ops is unregistered, the
 FTRACE_UPDATE_CALLS command is not set because there is another enabled
 ops with the same content.  Also, both ops are dynamic and the ftrace
 callback function is ftrace_ops_list_func, so the
 FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value
 of 'command' will be 0 and ftrace_shutdown() will skip the rcu
 synchronization.

 However, ftrace may be activated. When the ops is released, another CPU
 may be accessing the ops.  Add the missing synchronization to fix this
 problem.

 [1]
 BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
 BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
 Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

 CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7
 Hardware name: linux,dummy-virt (DT)
 Call trace:
  dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132
  show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1b4/0x248 lib/dump_stack.c:118
  print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387
  __kasan_report mm/kasan/report.c:547 [inline]
  kasan_report+0x118/0x210 mm/kasan/report.c:564
  check_memory_region_inline mm/kasan/generic.c:187 [inline]
  __asan_load8+0x98/0xc0 mm/kasan/generic.c:253
  __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
  ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
  ftrace_graph_call+0x0/0x4
  __might_sleep+0x8/0x100 include/linux/perf_event.h:1170
  __might_fault mm/memory.c:5183 [inline]
  __might_fault+0x58/0x70 mm/memory.c:5171
  do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
  strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139
  getname_flags+0xb0/0x31c fs/namei.c:149
  getname+0x2c/0x40 fs/namei.c:209
  [...]

 Allocated by task 14445:
  kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
  kasan_set_track mm/kasan/common.c:56 [inline]
  __kasan_kmalloc mm/kasan/common.c:479 [inline]
  __kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449
  kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493
  kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950
  kmalloc include/linux/slab.h:563 [inline]
  kzalloc include/linux/slab.h:675 [inline]
  perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230
  perf_event_alloc kernel/events/core.c:11733 [inline]
  __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
  __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
  __arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723
  [...]

 Freed by task 14445:
  kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
  kasan_set_track+0x24/0x34 mm/kasan/common.c:56
  kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358
  __kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437
  __kasan_slab_free mm/kasan/common.c:445 [inline]
  kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446
  slab_free_hook mm/slub.c:1569 [inline]
  slab_free_freelist_hook mm/slub.c:1608 [inline]
  slab_free mm/slub.c:3179 [inline]
  kfree+0x12c/0xc10 mm/slub.c:4176
  perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434
  perf_event_alloc kernel/events/core.c:11733 [inline]
  __do_sys_perf_event_open kernel/events/core.c:11831 [inline]
  __se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
  [...]

 The Linux kernel CVE team has assigned CVE-2022-49892 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 5.10.154 with commit ea5f2fd4640ecbb9df969bf8bb27733ae2183169
 	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 5.15.78 with commit 88561a66777e7a2fe06638c6dcb22a9fae0b6733
 	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 6.0.8 with commit cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c
 	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 6.1 with commit 0e792b89e6800cd9cb4757a76a96f7ef3e8b6294
 	Issue introduced in 4.1.45 with commit a60e407b961e818541ff7924afa8e51fbdb21a61
 	Issue introduced in 4.4.89 with commit ed1bf4397d2219d4b9ec2d5517416ba102186650
 	Issue introduced in 4.9.52 with commit 100553e197e2c41eccf9fa04b2be9cd11ae21215
 	Issue introduced in 4.13.4 with commit 30d3c1c9c9dd31b3c3a5aa0f4f40f1e321c6c791

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49892
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/ftrace.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ea5f2fd4640ecbb9df969bf8bb27733ae2183169
 	https://git.kernel.org/stable/c/88561a66777e7a2fe06638c6dcb22a9fae0b6733
 	https://git.kernel.org/stable/c/cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c
 	https://git.kernel.org/stable/c/0e792b89e6800cd9cb4757a76a96f7ef3e8b6294
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49892: ftrace: Fix use-after-free for dynamic ftrace_ops

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ftrace: Fix use-after-free for dynamic ftrace_ops

	KASAN reported a use-after-free with ftrace ops [1]. It was found from
	vmcore that perf had registered two ops with the same content
	successively, both dynamic. After unregistering the second ops, a
	use-after-free occurred.

	In ftrace_shutdown(), when the second ops is unregistered, the
	FTRACE_UPDATE_CALLS command is not set because there is another enabled
	ops with the same content. Also, both ops are dynamic and the ftrace
	callback function is ftrace_ops_list_func, so the
	FTRACE_UPDATE_TRACE_FUNC command will not be set. Eventually the value
	of 'command' will be 0 and ftrace_shutdown() will skip the rcu
	synchronization.

	However, ftrace may be activated. When the ops is released, another CPU
	may be accessing the ops. Add the missing synchronization to fix this
	problem.

	[1]
	BUG: KASAN: use-after-free in __ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
	BUG: KASAN: use-after-free in ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
	Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

	CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7
	Hardware name: linux,dummy-virt (DT)
	Call trace:
	dump_backtrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132
	show_stack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196
	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0x1b4/0x248 lib/dump_stack.c:118
	print_address_description.constprop.0+0x28/0x48c mm/kasan/report.c:387
	__kasan_report mm/kasan/report.c:547 [inline]
	kasan_report+0x118/0x210 mm/kasan/report.c:564
	check_memory_region_inline mm/kasan/generic.c:187 [inline]
	__asan_load8+0x98/0xc0 mm/kasan/generic.c:253
	__ftrace_ops_list_func kernel/trace/ftrace.c:7020 [inline]
	ftrace_ops_list_func+0x2b0/0x31c kernel/trace/ftrace.c:7049
	ftrace_graph_call+0x0/0x4
	__might_sleep+0x8/0x100 include/linux/perf_event.h:1170
	__might_fault mm/memory.c:5183 [inline]
	__might_fault+0x58/0x70 mm/memory.c:5171
	do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
	strncpy_from_user+0x1f4/0x4b0 lib/strncpy_from_user.c:139
	getname_flags+0xb0/0x31c fs/namei.c:149
	getname+0x2c/0x40 fs/namei.c:209
	[...]

	Allocated by task 14445:
	kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
	kasan_set_track mm/kasan/common.c:56 [inline]
	__kasan_kmalloc mm/kasan/common.c:479 [inline]
	__kasan_kmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449
	kasan_kmalloc+0xc/0x14 mm/kasan/common.c:493
	kmem_cache_alloc_trace+0x440/0x924 mm/slub.c:2950
	kmalloc include/linux/slab.h:563 [inline]
	kzalloc include/linux/slab.h:675 [inline]
	perf_event_alloc.part.0+0xb4/0x1350 kernel/events/core.c:11230
	perf_event_alloc kernel/events/core.c:11733 [inline]
	__do_sys_perf_event_open kernel/events/core.c:11831 [inline]
	__se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
	__arm64_sys_perf_event_open+0x6c/0x80 kernel/events/core.c:11723
	[...]

	Freed by task 14445:
	kasan_save_stack+0x24/0x50 mm/kasan/common.c:48
	kasan_set_track+0x24/0x34 mm/kasan/common.c:56
	kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:358
	__kasan_slab_free.part.0+0x11c/0x1b0 mm/kasan/common.c:437
	__kasan_slab_free mm/kasan/common.c:445 [inline]
	kasan_slab_free+0x2c/0x40 mm/kasan/common.c:446
	slab_free_hook mm/slub.c:1569 [inline]
	slab_free_freelist_hook mm/slub.c:1608 [inline]
	slab_free mm/slub.c:3179 [inline]
	kfree+0x12c/0xc10 mm/slub.c:4176
	perf_event_alloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434
	perf_event_alloc kernel/events/core.c:11733 [inline]
	__do_sys_perf_event_open kernel/events/core.c:11831 [inline]
	__se_sys_perf_event_open+0x550/0x15f4 kernel/events/core.c:11723
	[...]

	The Linux kernel CVE team has assigned CVE-2022-49892 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 5.10.154 with commit ea5f2fd4640ecbb9df969bf8bb27733ae2183169
	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 5.15.78 with commit 88561a66777e7a2fe06638c6dcb22a9fae0b6733
	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 6.0.8 with commit cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c
	Issue introduced in 4.14 with commit edb096e00724f02db5f6ec7900f3bbd465c6c76f and fixed in 6.1 with commit 0e792b89e6800cd9cb4757a76a96f7ef3e8b6294
	Issue introduced in 4.1.45 with commit a60e407b961e818541ff7924afa8e51fbdb21a61
	Issue introduced in 4.4.89 with commit ed1bf4397d2219d4b9ec2d5517416ba102186650
	Issue introduced in 4.9.52 with commit 100553e197e2c41eccf9fa04b2be9cd11ae21215
	Issue introduced in 4.13.4 with commit 30d3c1c9c9dd31b3c3a5aa0f4f40f1e321c6c791

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49892
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/ftrace.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ea5f2fd4640ecbb9df969bf8bb27733ae2183169
	https://git.kernel.org/stable/c/88561a66777e7a2fe06638c6dcb22a9fae0b6733
	https://git.kernel.org/stable/c/cc1b9961a0ceb70f6ca4e2f4b8bb71c87c7a495c
	https://git.kernel.org/stable/c/0e792b89e6800cd9cb4757a76a96f7ef3e8b6294