CVE-2022-48726 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

RDMA/ucma: Protect mc during concurrent multicast leaves

Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked.

BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline]
ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Currently the xarray search can touch a concurrently freeing mc as the xa_for_each() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/18/2024

The vulnerability CVE-2022-48726 affects the Linux kernel's Infiniband user channel management architecture specifically within the ucma driver. This issue represents a classic race condition scenario where concurrent operations on multicast groups can lead to use-after-free conditions. The problem manifests in the RDMA/ucma subsystem where multiple threads attempt to access multicast structures simultaneously during cleanup operations. The kernel's memory safety checker KASAN detected this vulnerability through a use-after-free error occurring in the ucma_cleanup_multicast function at line 491 of drivers/infiniband/core/ucma.c. The stack trace reveals that the issue occurs during cleanup operations when a multicast structure is being freed while another thread attempts to access it through the xa_for_each() iteration mechanism.

The technical flaw stems from inadequate locking mechanisms during concurrent multicast group operations. The original implementation allowed xarray searches to access multicast structures without proper synchronization, creating a window where a multicast group could be freed while other threads were still referencing it. This represents a direct violation of memory safety principles and demonstrates a failure to properly protect shared data structures during concurrent access patterns. The vulnerability specifically affects the ucma_destroy_private_ctx function which calls ucma_cleanup_multicast, and subsequently leads to ucma_destroy_id operations that trigger the use-after-free condition. The issue is classified under CWE-362, which describes a race condition where two or more threads access shared data concurrently, with at least one thread performing a write operation. The improper locking approach creates a scenario where the xarray iteration process can access memory that has already been deallocated.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system instability within RDMA environments. When exploited, this vulnerability can cause kernel crashes, leading to denial of service conditions in high-performance computing clusters that rely on Infiniband networking. The vulnerability affects systems running Linux kernel versions where the problematic code was introduced, particularly impacting cloud environments and data center infrastructures that utilize RDMA for high-speed data transfer. Attackers could potentially leverage this condition to execute arbitrary code within kernel space or cause system panics that disrupt critical network operations. The vulnerability is particularly concerning in environments where multiple processes concurrently manage Infiniband connections and multicast groups, as the race condition probability increases with concurrent access patterns.

The mitigation strategy involves implementing proper locking mechanisms around the multicast structure access operations, specifically protecting the xa_for_each() iteration with appropriate locks. The fix requires partially reverting a previous commit to ensure that allocation and erasure operations of multicast structures are properly synchronized. This approach aligns with ATT&CK technique T1068, which involves exploiting local system privileges to gain elevated access through kernel vulnerabilities. The recommended solution involves holding locks only for the specific items being operated on rather than for the entire scan operation, which reduces performance overhead while maintaining memory safety. System administrators should update to kernel versions containing the fix, which typically includes proper locking around the multicast group management functions. Additionally, monitoring for KASAN reports and implementing proper kernel hardening measures can help detect and prevent exploitation of similar race conditions in other kernel subsystems. The fix demonstrates the importance of proper synchronization primitives in concurrent programming and highlights the need for thorough testing of multi-threaded kernel code, particularly in high-performance networking subsystems.

Disclosure

06/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00238

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!