cve/published/2023/CVE-2023-52854.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52854: padata: Fix refcnt handling in padata_free_shell()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 padata: Fix refcnt handling in padata_free_shell()

 In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
 to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
 the pcrypt_aead01 function call, I'll describe the problem scenario
 using a simplified model:

 Suppose there's a user of padata named `user_function` that adheres to
 the padata requirement of calling `padata_free_shell` after `serial()`
 has been invoked, as demonstrated in the following code:

 ```c
 struct request {
     struct padata_priv padata;
     struct completion *done;
 };

 void parallel(struct padata_priv *padata) {
     do_something();
 }

 void serial(struct padata_priv *padata) {
     struct request *request = container_of(padata,
     				struct request,
 				padata);
     complete(request->done);
 }

 void user_function() {
     DECLARE_COMPLETION(done)
     padata->parallel = parallel;
     padata->serial = serial;
     padata_do_parallel();
     wait_for_completion(&done);
     padata_free_shell();
 }
 ```

 In the corresponding padata.c file, there's the following code:

 ```c
 static void padata_serial_worker(struct work_struct *serial_work) {
     ...
     cnt = 0;

     while (!list_empty(&local_list)) {
         ...
         padata->serial(padata);
         cnt++;
     }

     local_bh_enable();

     if (refcount_sub_and_test(cnt, &pd->refcnt))
         padata_free_pd(pd);
 }
 ```

 Because of the high system load and the accumulation of unexecuted
 softirq at this moment, `local_bh_enable()` in padata takes longer
 to execute than usual. Subsequently, when accessing `pd->refcnt`,
 `pd` has already been released by `padata_free_shell()`, resulting
 in a UAF issue with `pd->refcnt`.

 The fix is straightforward: add `refcount_dec_and_test` before calling
 `padata_free_pd` in `padata_free_shell`.

 The Linux kernel CVE team has assigned CVE-2023-52854 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 5.10.201 with commit 41aad9d6953984d134fc50f631f24ef476875d4d
 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 5.15.139 with commit 0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5
 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.1.63 with commit c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275
 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.5.12 with commit 1e901bcb8af19416b65f5063a4af7996e5a51d7f
 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.6.2 with commit 1734a79e951914f1db2c65e635012a35db1c674b
 	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.7 with commit 7ddc21e317b360c3444de3023bcc83b85fabae2f
 	Issue introduced in 3.16.84 with commit 13721e447acc2b82c19cf72e9e6c4291c77693ed
 	Issue introduced in 4.4.215 with commit 7a2ccb65f90168edc2348495bb56093c466ffa39
 	Issue introduced in 4.9.215 with commit 928cf3d733c4efc221e1a78b14cb2ee066627260
 	Issue introduced in 4.14.172 with commit c9da8ee1491719001a444f4af688b75e72b58418
 	Issue introduced in 4.19.103 with commit dc34710a7aba5207e7cb99d11588c04535b3c53d
 	Issue introduced in 5.4.19 with commit 5fefc9b3e3584a1ce98da27c38e1b8dda1939d74
 	Issue introduced in 5.5.3 with commit 26daf8e6515c2dcd25d235468420b9f46e0acdac

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52854
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/padata.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d
 	https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5
 	https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275
 	https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f
 	https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b
 	https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52854: padata: Fix refcnt handling in padata_free_shell()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	padata: Fix refcnt handling in padata_free_shell()

	In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
	to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
	the pcrypt_aead01 function call, I'll describe the problem scenario
	using a simplified model:

	Suppose there's a user of padata named `user_function` that adheres to
	the padata requirement of calling `padata_free_shell` after `serial()`
	has been invoked, as demonstrated in the following code:

	```c
	struct request {
	struct padata_priv padata;
	struct completion *done;
	};

	void parallel(struct padata_priv *padata) {
	do_something();
	}

	void serial(struct padata_priv *padata) {
	struct request *request = container_of(padata,
	struct request,
	padata);
	complete(request->done);
	}

	void user_function() {
	DECLARE_COMPLETION(done)
	padata->parallel = parallel;
	padata->serial = serial;
	padata_do_parallel();
	wait_for_completion(&done);
	padata_free_shell();
	}
	```

	In the corresponding padata.c file, there's the following code:

	```c
	static void padata_serial_worker(struct work_struct *serial_work) {
	...
	cnt = 0;

	while (!list_empty(&local_list)) {
	...
	padata->serial(padata);
	cnt++;
	}

	local_bh_enable();

	if (refcount_sub_and_test(cnt, &pd->refcnt))
	padata_free_pd(pd);
	}
	```

	Because of the high system load and the accumulation of unexecuted
	softirq at this moment, `local_bh_enable()` in padata takes longer
	to execute than usual. Subsequently, when accessing `pd->refcnt`,
	`pd` has already been released by `padata_free_shell()`, resulting
	in a UAF issue with `pd->refcnt`.

	The fix is straightforward: add `refcount_dec_and_test` before calling
	`padata_free_pd` in `padata_free_shell`.

	The Linux kernel CVE team has assigned CVE-2023-52854 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 5.10.201 with commit 41aad9d6953984d134fc50f631f24ef476875d4d
	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 5.15.139 with commit 0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5
	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.1.63 with commit c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275
	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.5.12 with commit 1e901bcb8af19416b65f5063a4af7996e5a51d7f
	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.6.2 with commit 1734a79e951914f1db2c65e635012a35db1c674b
	Issue introduced in 5.6 with commit 07928d9bfc81640bab36f5190e8725894d93b659 and fixed in 6.7 with commit 7ddc21e317b360c3444de3023bcc83b85fabae2f
	Issue introduced in 3.16.84 with commit 13721e447acc2b82c19cf72e9e6c4291c77693ed
	Issue introduced in 4.4.215 with commit 7a2ccb65f90168edc2348495bb56093c466ffa39
	Issue introduced in 4.9.215 with commit 928cf3d733c4efc221e1a78b14cb2ee066627260
	Issue introduced in 4.14.172 with commit c9da8ee1491719001a444f4af688b75e72b58418
	Issue introduced in 4.19.103 with commit dc34710a7aba5207e7cb99d11588c04535b3c53d
	Issue introduced in 5.4.19 with commit 5fefc9b3e3584a1ce98da27c38e1b8dda1939d74
	Issue introduced in 5.5.3 with commit 26daf8e6515c2dcd25d235468420b9f46e0acdac

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52854
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/padata.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d
	https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5
	https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275
	https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f
	https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b
	https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f