cve/published/2023/CVE-2023-52803.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52803: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

 RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
 workqueue,which takes care about pipefs superblock locking.
 In some special scenarios, when kernel frees the pipefs sb of the
 current client and immediately alloctes a new pipefs sb,
 rpc_remove_pipedir function would misjudge the existence of pipefs
 sb which is not the one it used to hold. As a result,
 the rpc_remove_pipedir would clean the released freed pipefs dentries.

 To fix this issue, rpc_remove_pipedir should check whether the
 current pipefs sb is consistent with the original pipefs sb.

 This error can be catched by KASAN:
 =========================================================
 [  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
 [  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
 [  250.500549] Workqueue: events rpc_free_client_work
 [  250.501001] Call Trace:
 [  250.502880]  kasan_report+0xb6/0xf0
 [  250.503209]  ? dget_parent+0x195/0x200
 [  250.503561]  dget_parent+0x195/0x200
 [  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10
 [  250.504384]  rpc_rmdir_depopulate+0x1b/0x90
 [  250.504781]  rpc_remove_client_dir+0xf5/0x150
 [  250.505195]  rpc_free_client_work+0xe4/0x230
 [  250.505598]  process_one_work+0x8ee/0x13b0
 ...
 [   22.039056] Allocated by task 244:
 [   22.039390]  kasan_save_stack+0x22/0x50
 [   22.039758]  kasan_set_track+0x25/0x30
 [   22.040109]  __kasan_slab_alloc+0x59/0x70
 [   22.040487]  kmem_cache_alloc_lru+0xf0/0x240
 [   22.040889]  __d_alloc+0x31/0x8e0
 [   22.041207]  d_alloc+0x44/0x1f0
 [   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140
 [   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110
 [   22.042459]  rpc_create_client_dir+0x34/0x150
 [   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0
 [   22.043284]  rpc_client_register+0x136/0x4e0
 [   22.043689]  rpc_new_client+0x911/0x1020
 [   22.044057]  rpc_create_xprt+0xcb/0x370
 [   22.044417]  rpc_create+0x36b/0x6c0
 ...
 [   22.049524] Freed by task 0:
 [   22.049803]  kasan_save_stack+0x22/0x50
 [   22.050165]  kasan_set_track+0x25/0x30
 [   22.050520]  kasan_save_free_info+0x2b/0x50
 [   22.050921]  __kasan_slab_free+0x10e/0x1a0
 [   22.051306]  kmem_cache_free+0xa5/0x390
 [   22.051667]  rcu_core+0x62c/0x1930
 [   22.051995]  __do_softirq+0x165/0x52a
 [   22.052347]
 [   22.052503] Last potentially related work creation:
 [   22.052952]  kasan_save_stack+0x22/0x50
 [   22.053313]  __kasan_record_aux_stack+0x8e/0xa0
 [   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0
 [   22.054209]  dentry_free+0xb2/0x140
 [   22.054540]  __dentry_kill+0x3be/0x540
 [   22.054900]  shrink_dentry_list+0x199/0x510
 [   22.055293]  shrink_dcache_parent+0x190/0x240
 [   22.055703]  do_one_tree+0x11/0x40
 [   22.056028]  shrink_dcache_for_umount+0x61/0x140
 [   22.056461]  generic_shutdown_super+0x70/0x590
 [   22.056879]  kill_anon_super+0x3a/0x60
 [   22.057234]  rpc_kill_sb+0x121/0x200

 The Linux kernel CVE team has assigned CVE-2023-52803 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 4.19.318 with commit 17866066b8ac1cc38fb449670bc15dc9fee4b40a
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.4.280 with commit 7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.10.202 with commit dedf2a0eb9448ae73b270743e6ea9b108189df46
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.15.140 with commit 194454afa6aa9d6ed74f0c57127bc8beb27c20df
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.1.64 with commit 7749fd2dbef72a52b5c9ffdbf877691950ed4680
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.5.13 with commit 1cdb52ffd6600a37bd355d8dce58ecd03e55e618
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.6.3 with commit cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a
 	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.7 with commit bfca5fb4e97c46503ddfc582335917b0cc228264

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52803
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/sunrpc/clnt.h
 	net/sunrpc/clnt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a
 	https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5
 	https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46
 	https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df
 	https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680
 	https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618
 	https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a
 	https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52803: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

	RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()
	workqueue,which takes care about pipefs superblock locking.
	In some special scenarios, when kernel frees the pipefs sb of the
	current client and immediately alloctes a new pipefs sb,
	rpc_remove_pipedir function would misjudge the existence of pipefs
	sb which is not the one it used to hold. As a result,
	the rpc_remove_pipedir would clean the released freed pipefs dentries.

	To fix this issue, rpc_remove_pipedir should check whether the
	current pipefs sb is consistent with the original pipefs sb.

	This error can be catched by KASAN:
	=========================================================
	[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200
	[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503
	[ 250.500549] Workqueue: events rpc_free_client_work
	[ 250.501001] Call Trace:
	[ 250.502880] kasan_report+0xb6/0xf0
	[ 250.503209] ? dget_parent+0x195/0x200
	[ 250.503561] dget_parent+0x195/0x200
	[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10
	[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90
	[ 250.504781] rpc_remove_client_dir+0xf5/0x150
	[ 250.505195] rpc_free_client_work+0xe4/0x230
	[ 250.505598] process_one_work+0x8ee/0x13b0
	...
	[ 22.039056] Allocated by task 244:
	[ 22.039390] kasan_save_stack+0x22/0x50
	[ 22.039758] kasan_set_track+0x25/0x30
	[ 22.040109] __kasan_slab_alloc+0x59/0x70
	[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240
	[ 22.040889] __d_alloc+0x31/0x8e0
	[ 22.041207] d_alloc+0x44/0x1f0
	[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140
	[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110
	[ 22.042459] rpc_create_client_dir+0x34/0x150
	[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0
	[ 22.043284] rpc_client_register+0x136/0x4e0
	[ 22.043689] rpc_new_client+0x911/0x1020
	[ 22.044057] rpc_create_xprt+0xcb/0x370
	[ 22.044417] rpc_create+0x36b/0x6c0
	...
	[ 22.049524] Freed by task 0:
	[ 22.049803] kasan_save_stack+0x22/0x50
	[ 22.050165] kasan_set_track+0x25/0x30
	[ 22.050520] kasan_save_free_info+0x2b/0x50
	[ 22.050921] __kasan_slab_free+0x10e/0x1a0
	[ 22.051306] kmem_cache_free+0xa5/0x390
	[ 22.051667] rcu_core+0x62c/0x1930
	[ 22.051995] __do_softirq+0x165/0x52a
	[ 22.052347]
	[ 22.052503] Last potentially related work creation:
	[ 22.052952] kasan_save_stack+0x22/0x50
	[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0
	[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0
	[ 22.054209] dentry_free+0xb2/0x140
	[ 22.054540] __dentry_kill+0x3be/0x540
	[ 22.054900] shrink_dentry_list+0x199/0x510
	[ 22.055293] shrink_dcache_parent+0x190/0x240
	[ 22.055703] do_one_tree+0x11/0x40
	[ 22.056028] shrink_dcache_for_umount+0x61/0x140
	[ 22.056461] generic_shutdown_super+0x70/0x590
	[ 22.056879] kill_anon_super+0x3a/0x60
	[ 22.057234] rpc_kill_sb+0x121/0x200

	The Linux kernel CVE team has assigned CVE-2023-52803 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 4.19.318 with commit 17866066b8ac1cc38fb449670bc15dc9fee4b40a
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.4.280 with commit 7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.10.202 with commit dedf2a0eb9448ae73b270743e6ea9b108189df46
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 5.15.140 with commit 194454afa6aa9d6ed74f0c57127bc8beb27c20df
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.1.64 with commit 7749fd2dbef72a52b5c9ffdbf877691950ed4680
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.5.13 with commit 1cdb52ffd6600a37bd355d8dce58ecd03e55e618
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.6.3 with commit cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a
	Issue introduced in 3.4 with commit 0157d021d23a087eecfa830502f81cfe843f0d16 and fixed in 6.7 with commit bfca5fb4e97c46503ddfc582335917b0cc228264

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52803
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/sunrpc/clnt.h
	net/sunrpc/clnt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a
	https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5
	https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46
	https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df
	https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680
	https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618
	https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a
	https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264