Bug 218032

Summary: NULL pointer dereference vulnerability in io_uring_show_fdinfo.
Product: Linux Reporter: j51569436
Component: KernelAssignee: Virtual assignee for kernel bugs (linux-kernel)
Status: RESOLVED CODE_FIX    
Severity: normal CC: asml.silence, axboe, j51569436
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: 6.6-rc6 Subsystem: io_uring
Regression: No Bisected commit-id:
Attachments: proposed patch

Description j51569436 2023-10-21 15:49:35 UTC
Created attachment 305272 [details]
POC code that can reproduce the vulnerability

A null pointer dereference vulnerability occurs in io_uring_show_fdinfo. 
When referencing io_sq_data in io_uring_show_fdinfo, the part about locking io_sq_data->lock is missing. 

Therefore, when io_sq_thread terminates and NULL is put into `sqd->thread`, a race condition may occur.This causes a null pointer dereference vulnerability when io_uring_show_fdinfo tries to information about sq->thread.
Comment 1 j51569436 2023-10-21 15:54:19 UTC
   14.803267] BUG: kernel NULL pointer dereference, address: 0000000000000014
[   14.804563] #PF: supervisor read access in kernel mode
[   14.805356] #PF: error_code(0x0000) - not-present page
[   14.806131] PGD 8000000100c6d067 P4D 8000000100c6d067 PUD 103ff2067 PMD 0
[   14.807484] Oops: 0000 [#1] PREEMPT SMP PTI
[   14.808262] CPU: 2 PID: 562 Comm: test Not tainted 6.6.0-rc6-gdd72f9c7e512-dirty #8
[   14.809066] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   14.810048] RIP: 0010:io_uring_show_fdinfo+0x60e/0x8d0
[   14.810628] Code: 85 c0 0f 84 50 ff ff ff 48 85 db 0f 84 47 ff ff ff 8b 90 20 05 00 00 48 c7 c6 f8 99 6d 82 4c 82
[   14.812467] RSP: 0018:ffffc90000657c98 EFLAGS: 00010246
[   14.813010] RAX: 0000000000000000 RBX: ffff8881017c5540 RCX: 0000000000000001
[   14.813675] RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff8881048310ac
[   14.814422] RBP: 0000000000000000 R08: ffff8881048310ac R09: 0000000000ffff0a
[   14.815150] R10: 0000000000000002 R11: 000000000000000f R12: 000000000000003f
[   14.815879] R13: ffff888102b28000 R14: 0000000000000000 R15: ffff888101444000
[   14.816654] FS:  00007fd99f3b6700(0000) GS:ffff88842fa80000(0000) knlGS:0000000000000000
[   14.817566] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   14.818214] CR2: 0000000000000014 CR3: 0000000101b74000 CR4: 00000000000006e0
[   14.819020] Call Trace:
[   14.819303]  <TASK>
[   14.819546]  ? __die_body+0x1a/0x60
[   14.820197]  ? page_fault_oops+0x156/0x420
[   14.820592]  ? search_exception_tables+0x37/0x50
[   14.821217]  ? fixup_exception+0x21/0x300
[   14.821803]  ? exc_page_fault+0x7d/0x170
[   14.822354]  ? asm_exc_page_fault+0x26/0x30
[   14.822940]  ? io_uring_show_fdinfo+0x60e/0x8d0
[   14.823636]  ? io_uring_show_fdinfo+0x60a/0x8d0
[   14.824262]  ? seq_vprintf+0x33/0x50
[   14.824753]  ? seq_printf+0x52/0x70
[   14.825211]  seq_show+0x167/0x1d0
[   14.825728]  seq_read_iter+0x10c/0x440
[   14.826294]  seq_read+0xab/0xe0
[   14.826768]  vfs_read+0xb0/0x320
[   14.827307]  ? __fget_light+0xc0/0x100
[   14.827868]  ksys_read+0x5e/0xe0
[   14.828320]  do_syscall_64+0x47/0xa0
[   14.828798]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[   14.829477] RIP: 0033:0x408d5c
[   14.829964] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 48
[   14.832449] RSP: 002b:00007fd99f3b5860 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   14.833469] RAX: ffffffffffffffda RBX: 00007fd99f3b5890 RCX: 0000000000408d5c
[   14.834411] RDX: 00000000000003ff RSI: 00007fd99f3b5990 RDI: 0000000000000004
[   14.835327] RBP: 0000000000000004 R08: 0000000000000000 R09: 00007fd99f3b5720
[   14.836235] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd99f3b5990
[   14.837208] R13: 00007ffd62e54ccf R14: 00007ffd62e54cd0 R15: 00007fd99f3b5e80
[   14.838199]  </TASK>
[   14.838513] Modules linked in:
[   14.838948] CR2: 0000000000000014
[   14.839457] ---[ end trace 0000000000000000 ]---
[   14.840117] RIP: 0010:io_uring_show_fdinfo+0x60e/0x8d0
[   14.840839] Code: 85 c0 0f 84 50 ff ff ff 48 85 db 0f 84 47 ff ff ff 8b 90 20 05 00 00 48 c7 c6 f8 99 6d 82 4c 82
[   14.843315] RSP: 0018:ffffc90000657c98 EFLAGS: 00010246
[   14.844086] RAX: 0000000000000000 RBX: ffff8881017c5540 RCX: 0000000000000001
[   14.845332] RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff8881048310ac
[   14.846513] RBP: 0000000000000000 R08: ffff8881048310ac R09: 0000000000ffff0a
[   14.847816] R10: 0000000000000002 R11: 000000000000000f R12: 000000000000003f
[   14.848816] R13: ffff888102b28000 R14: 0000000000000000 R15: ffff888101444000
[   14.849758] FS:  00007fd99f3b6700(0000) GS:ffff88842fa80000(0000) knlGS:0000000000000000
[   14.850935] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   14.851839] CR2: 0000000000000014 CR3: 0000000101b74000 CR4: 00000000000006e0
Comment 2 j51569436 2023-10-21 15:57:30 UTC
Created attachment 305273 [details]
POC code that can reproduce the vulnerability

The other poc.c file has stuff in it that shouldn't be there, and I'd like to ask if I can delete it and replace it with this one.
Comment 3 j51569436 2023-10-21 15:58:26 UTC
Comment on attachment 305272 [details]
POC code that can reproduce the vulnerability

This poc.c file has something in it that shouldn't be there, and I'd like to ask if can you delete it.
Comment 4 Jens Axboe 2023-10-21 18:19:24 UTC
I know it's fashionable these days, but can we please stop referring to everything as a "security vulnerability". It'll crash the app. I'll take a look.
Comment 5 Jens Axboe 2023-10-21 18:30:19 UTC
Created attachment 305275 [details]
proposed patch

Can you try this patch? Wasn't able to reproduce here.
Comment 6 j51569436 2023-10-21 19:47:20 UTC
Yes. Before applying the patch, it crashed within 10 seconds. With the patch applied, the POC does not trigger. 

The patched code also looks fine (to me). 

In terms of fixing this bug, this patch seems appropriate.