Bug 216305 - ubi: Reproducer for an UAF in eraseblk_count_seq_show() after wl_entry_destroy()
Summary: ubi: Reproducer for an UAF in eraseblk_count_seq_show() after wl_entry_destroy()
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-29 12:11 UTC by Zhihao Cheng
Modified: 2022-07-29 12:12 UTC (History)
0 users

See Also:
Kernel Version: 5.19-rc8
Subsystem:
Regression: No
Bisected commit-id:

Attachments
diff (2.13 KB, patch)
2022-07-29 12:11 UTC, Zhihao Cheng 		Details | Diff
test.sh (572 bytes, application/x-shellscript)
2022-07-29 12:11 UTC, Zhihao Cheng 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Zhihao Cheng 2022-07-29 12:11:08 UTC 
CONFIG_KASAN=y

1. Apply diff and compile kernel
2. run test.sh
3. Execute 'cat /sys/kernel/debug/ubi/ubi0/detailed_erase_block_info' in 3 seconds after kernel printing message "make err"

[  126.767164] make err
[  126.768457] ubi0 error: __erase_worker.cold [ubi]: failed to erase PEB 0, error -5
[  126.772110] free ffff8881034a8ae0
[  128.394871] eraseblk_count_seq_show: access ffff8881034a8ae0
[  129.823313] freed
[  133.404360] ==================================================================
[  133.407544] BUG: KASAN: use-after-free in eraseblk_count_seq_show+0xd5/0x180 [ubi]
[  133.408642] Read of size 4 at addr ffff8881034a8af8 by task cat/1627
[  133.409254] 
[  133.409460] CPU: 0 PID: 1627 Comm: cat Not tainted 5.19.0-rc8-dirty #742
[  133.410097] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc34
[  133.411305] Call Trace:
[  133.411567]  <TASK>
[  133.411790]  ? dump_stack_lvl+0x73/0x9f
[  133.412198]  ? print_report.cold+0x100/0xa3f
[  133.412631]  ? _raw_spin_lock_irqsave+0xcd/0x160
[  133.413100]  ? eraseblk_count_seq_show+0xd5/0x180 [ubi]
[  133.413932]  ? kasan_report+0xbf/0x130
[  133.414335]  ? eraseblk_count_seq_show+0xd5/0x180 [ubi]
[  133.415175]  ? __asan_load4+0x77/0x120
[  133.415556]  ? eraseblk_count_seq_show+0xd5/0x180 [ubi]
[  133.416405]  ? seq_read_iter+0x346/0x8a0
[  133.416798]  ? __alloc_pages_slowpath.constprop.0+0x1e30/0x1e30
[  133.417395]  ? __mod_memcg_lruvec_state+0xfe/0x1d0
[  133.417880]  ? seq_read+0x237/0x2f0
[  133.418254]  ? seq_read_iter+0x8a0/0x8a0
[  133.418648]  ? folio_add_lru+0x15d/0x260
[  133.419071]  ? lru_cache_add+0x58/0xf0
[  133.419482]  ? __handle_mm_fault+0x179e/0x2170
[  133.419970]  ? full_proxy_read+0xa3/0x100
[  133.420393]  ? vfs_read+0xff/0x320
[  133.420758]  ? ksys_read+0xcd/0x1e0
[  133.421130]  ? vfs_write+0x5a0/0x5a0
[  133.421493]  ? __kasan_check_write+0x20/0x30
[  133.421931]  ? do_user_addr_fault+0x414/0xff0
[  133.422389]  ? __x64_sys_read+0x46/0x60
[  133.422776]  ? do_syscall_64+0x35/0x80
[  133.423163]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  133.423705]  </TASK>
[  133.423934] 
[  133.424120] Allocated by task 1599:
[  133.424488]  kasan_save_stack+0x26/0x60
[  133.424873]  set_alloc_info+0x4b/0x80
[  133.425247]  __kasan_slab_alloc+0x4c/0x90
[  133.425640]  slab_post_alloc_hook+0x7c/0x5b0
[  133.426062]  kmem_cache_alloc+0x20a/0x5b0
[  133.426454]  ubi_wl_init+0x56d/0xc10 [ubi]
[  133.427173]  ubi_attach+0x291/0x970 [ubi]
[  133.427884]  ubi_attach_mtd_dev+0xe5d/0x1d00 [ubi]
[  133.428721]  0xffffffffa00d0439
[  133.429050]  do_one_initcall+0xb7/0x460
[  133.429457]  do_init_module+0x103/0x420
[  133.429841]  load_module+0x3036/0x3280
[  133.430226]  __do_sys_finit_module+0x14b/0x250
[  133.430654]  __x64_sys_finit_module+0x46/0x60
[  133.431087]  do_syscall_64+0x35/0x80
[  133.431443]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  133.431923] 
[  133.432095] Freed by task 1602:
[  133.432410]  kasan_save_stack+0x26/0x60
[  133.432790]  kasan_set_track+0x29/0x40
[  133.433169]  kasan_set_free_info+0x30/0x60
[  133.433570]  __kasan_slab_free+0x184/0x2c0
[  133.433980]  kmem_cache_free+0x171/0x6f0
[  133.434372]  __erase_worker.cold+0x126/0x472 [ubi]
[  133.435157]  erase_worker+0x14f/0x170 [ubi]
[  133.435879]  do_work+0x146/0x1e0 [ubi]
[  133.436626]  ubi_thread+0x245/0x440 [ubi]
[  133.437347]  kthread+0x1e5/0x250
[  133.437676]  ret_from_fork+0x1f/0x30
[  133.438045] 
[  133.438225] The buggy address belongs to the object at ffff8881034a8ae0
[  133.438225]  which belongs to the cache ubi_wl_entry_slab of size 32
[  133.439385] The buggy address is located 24 bytes inside of
[  133.439385]  32-byte region [ffff8881034a8ae0, ffff8881034a8b00)
[  133.440417] 
[  133.440589] The buggy address belongs to the physical page:
[  133.441107] page:000000002216c1f9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1034a8
[  133.442011] flags: 0x2fffff80000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[  133.442685] raw: 002fffff80000200 0000000000000000 dead000000000122 ffff888101ba7180
[  133.443398] raw: 0000000000000000 0000000080550055 00000001ffffffff 0000000000000000
[  133.444112] page dumped because: kasan: bad access detected
[  133.444623] 
[  133.444791] Memory state around the buggy address:
[  133.445247]  ffff8881034a8980: fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00
[  133.445905]  ffff8881034a8a00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  133.446566] >ffff8881034a8a80: 00 00 00 00 fc fc 00 00 00 00 fc fc fa fb fb fb
[  133.447231]                                                                 ^
[  133.447889]  ffff8881034a8b00: fc fc 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  133.448551]  ffff8881034a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  133.449213] ==================================================================
Comment 1 Zhihao Cheng 2022-07-29 12:11:25 UTC 
Created attachment 301507 [details]
diff
Comment 2 Zhihao Cheng 2022-07-29 12:11:35 UTC 
Created attachment 301508 [details]
test.sh
Note You need to log in before you can comment on or make changes to this bug.