Bug 215965 - ubi: ubi_create_volume: UAF in error handling path
Summary: ubi: ubi_create_volume: UAF in error handling path
Status: NEEDINFO
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-10 03:21 UTC by Zhihao Cheng
Modified: 2022-05-11 02:16 UTC (History)
0 users

See Also:
Kernel Version: 5.18-rc1
Tree: Mainline
Regression: No


Attachments
diff (954 bytes, patch)
2022-05-11 01:36 UTC, Zhihao Cheng
Details | Diff
diff (408 bytes, patch)
2022-05-11 02:16 UTC, Zhihao Cheng
Details | Diff

Description Zhihao Cheng 2022-05-10 03:21:29 UTC
1. Apply diff (turn on CONFIG_KASAN) and compile kernel
2. Exec:
   ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB
   modprobe nandsim id_bytes=$ID
   modprobe ubi mtd="0,2048"
   ubimkvol -N vol_a -m -n 0 /dev/ubi0

3. dmesg
[  244.257211] ==================================================================
[  244.261004] BUG: KASAN: use-after-free in ubi_eba_destroy_table+0x1b/0x50 [ubi]
[  244.262410] Read of size 8 at addr ffff888101948410 by task ubimkvol/1606
[  244.263367] 
[  244.263605] CPU: 0 PID: 1606 Comm: ubimkvol Not tainted 5.18.0-rc1-00005-g9fe871fba02c-dirty #473
[  244.264776] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc314
[  244.266602] Call Trace:
[  244.266966]  <TASK>
[  244.267273]  ? dump_stack_lvl+0x73/0x9f
[  244.267834]  ? print_report.cold+0x100/0xa3f
[  244.268459]  ? _raw_spin_lock_irqsave+0xcd/0x160
[  244.269131]  ? ubi_eba_destroy_table+0x1b/0x50 [ubi]
[  244.270173]  ? kasan_report+0xbf/0x130
[  244.270746]  ? devres_release_group+0x230/0x240
[  244.271407]  ? ubi_eba_destroy_table+0x1b/0x50 [ubi]
[  244.272530]  ? __asan_load8+0x74/0x110
[  244.273081]  ? ubi_eba_destroy_table+0x1b/0x50 [ubi]
[  244.274187]  ? ubi_eba_replace_table+0x32/0x50 [ubi]
[  244.275300]  ? vol_release+0x18/0x50 [ubi]
[  244.276258]  ? device_release+0x6e/0x170
[  244.276827]  ? kobject_put+0x1aa/0x430
[  244.277372]  ? put_device+0x17/0x30
[  244.277881]  ? ubi_create_volume+0x5db/0xad0 [ubi]
[  244.278951]  ? ubi_cdev_ioctl+0xf1c/0x1640 [ubi]
[  244.279967]  ? vfs_fileattr_set+0x690/0x690
[  244.280580]  ? vol_cdev_llseek+0xc0/0xc0 [ubi]
[  244.281595]  ? ioctl_has_perm.constprop.0+0x1eb/0x2b0
[  244.282307]  ? selinux_inet_conn_established+0x80/0x80
[  244.283096]  ? selinux_file_ioctl+0xeb/0x1a0
[  244.283712]  ? selinux_file_ioctl+0xeb/0x1a0
[  244.284343]  ? __x64_sys_ioctl+0x118/0x170
[  244.284937]  ? do_syscall_64+0x35/0x80
[  244.285485]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
[  244.286256]  </TASK>
[  244.286582] 
[  244.286807] Allocated by task 1606:
[  244.287302]  kasan_save_stack+0x26/0x60
[  244.287854]  set_alloc_info+0x4b/0x80
[  244.288380]  __kasan_kmalloc+0x8d/0xd0
[  244.288918]  kmem_cache_alloc_trace+0x262/0x5a0
[  244.289588]  ubi_eba_create_table+0x3a/0x140 [ubi]
[  244.290627]  ubi_create_volume+0x70f/0xad0 [ubi]
[  244.291649]  ubi_cdev_ioctl+0xf1c/0x1640 [ubi]
[  244.292630]  __x64_sys_ioctl+0x118/0x170
[  244.293181]  do_syscall_64+0x35/0x80
[  244.293697]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  244.294408] 
[  244.294639] Freed by task 1606:
[  244.295086]  kasan_save_stack+0x26/0x60
[  244.295633]  kasan_set_track+0x29/0x40
[  244.296171]  kasan_set_free_info+0x30/0x60
[  244.296768]  __kasan_slab_free+0x184/0x2c0
[  244.297352]  kfree+0x14a/0x6c0
[  244.297799]  ubi_eba_destroy_table+0x34/0x50 [ubi]
[  244.298827]  ubi_create_volume+0x944/0xad0 [ubi]
[  244.299823]  ubi_cdev_ioctl+0xf1c/0x1640 [ubi]
[  244.300838]  __x64_sys_ioctl+0x118/0x170
[  244.301391]  do_syscall_64+0x35/0x80
[  244.301906]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  244.302618] 
[  244.302842] The buggy address belongs to the object at ffff888101948410
[  244.302842]  which belongs to the cache kmalloc-8 of size 8
[  244.304482] The buggy address is located 0 bytes inside of
[  244.304482]  8-byte region [ffff888101948410, ffff888101948418)
[  244.306011] 
[  244.306235] The buggy address belongs to the physical page:
[  244.306999] page:00000000a1e9be2b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881019487f8 pfn:0x101948
[  244.308447] flags: 0x2fffff80000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[  244.309417] raw: 002fffff80000200 0000000000000000 dead000000000001 ffff888100042280
[  244.310487] raw: ffff8881019487f8 0000000080660046 00000001ffffffff 0000000000000000
[  244.311547] page dumped because: kasan: bad access detected
[  244.312318] 
[  244.312546] Memory state around the buggy address:
[  244.313202]  ffff888101948300: fc fc fc fc fb fc fc fc fc fa fc fc fc fc fa fc
[  244.314185]  ffff888101948380: fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc fc
[  244.315163] >ffff888101948400: fc fc fa fc fc fc fc fa fc fc fc fc 00 fc fc fc
[  244.316146]                          ^
[  244.316680]  ffff888101948480: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc
[  244.317666]  ffff888101948500: 00 fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00
[  244.318663] ==================================================================
[  244.319677] Disabling lock debugging due to kernel taint
[  244.320883] ubi0 error: ubi_create_volume [ubi]: cannot create volume 0, error -12
Comment 1 Artem S. Tashkinov 2022-05-10 14:01:01 UTC
You'd better find the maintainers of this driver and email them directly or email the appropriate mailing list otherwise this bug report might not be seen by anyone.
Comment 2 Zhihao Cheng 2022-05-11 01:36:01 UTC
Created attachment 300927 [details]
diff
Comment 3 Zhihao Cheng 2022-05-11 01:38:02 UTC
(In reply to Artem S. Tashkinov from comment #1)
> You'd better find the maintainers of this driver and email them directly or
> email the appropriate mailing list otherwise this bug report might not be
> seen by anyone.

I have send the fix patch to linux-mtd. The reproducer link is attached into the patch. https://patchwork.ozlabs.org/project/linux-mtd/patch/20220510123126.1820335-4-chengzhihao1@huawei.com/
Comment 4 Zhihao Cheng 2022-05-11 02:16:56 UTC
Created attachment 300928 [details]
diff

Note You need to log in before you can comment on or make changes to this bug.