CVE-2022-48913 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

blktrace: fix use after free for struct blk_trace

When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg':

================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188

CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8

Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0)
The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/28/2024

The vulnerability described in CVE-2022-48913 represents a use-after-free condition within the Linux kernel's block tracing subsystem, specifically affecting the blktrace functionality. This issue occurs when tracing entire disk operations, where certain debugfs files named 'dropped' and 'msg' are created under the queue's debugfs directory but not properly cleaned up during trace removal. The root cause stems from a logic flaw in the blk_trace_free() function which fails to remove these files when bt->dir is NULL, creating a stale reference that can later be accessed, leading to memory corruption.

The technical flaw manifests as a classic use-after-free scenario where memory that has been freed is still being accessed by subsequent operations. The kernel's KASAN (Kernel Address Sanitizer) detection confirms this by tracing the access to address ffff88816912f3d8 in the blk_dropped_read function, which occurs after the memory region has already been freed. The allocation and deallocation traces show that the memory was allocated during blk_trace_setup and freed during __blk_trace_remove, but the cleanup process does not properly handle the debugfs file removal, leaving dangling references. This condition falls under CWE-416, Use After Free, and specifically relates to improper resource management in kernel space.

The operational impact of this vulnerability is significant as it can lead to system instability, potential privilege escalation, or denial of service conditions. When an attacker can trigger the use-after-free condition through legitimate kernel interfaces, they may be able to corrupt kernel memory, potentially allowing for arbitrary code execution with kernel privileges. The vulnerability affects systems running Linux kernel versions where the blktrace subsystem is active and tracing capabilities are utilized, particularly in environments where disk I/O tracing is enabled. Attackers could exploit this by invoking blktrace ioctl commands in a specific sequence that forces the kernel into the vulnerable code path, creating a stale file reference that eventually gets accessed.

Mitigation strategies should focus on ensuring proper resource cleanup and memory management within the kernel's block tracing subsystem. The fix implemented in the patched kernel version resolves the issue by ensuring that debugfs files created during tracing are properly removed even when bt->dir is NULL. System administrators should apply the relevant kernel updates immediately and avoid using the blktrace functionality in production environments until patched. Additionally, monitoring for unusual blktrace activity and implementing proper kernel hardening measures such as KASAN and other memory debugging tools can help detect similar issues. The vulnerability demonstrates the importance of proper resource lifecycle management in kernel space, where memory deallocation must be coupled with proper cleanup of associated file system references to prevent dangling pointer access patterns. This aligns with ATT&CK technique T1068, Exploitation for Privilege Escalation, as the vulnerability could potentially be leveraged to gain elevated privileges through kernel memory corruption.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00212

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!