CVE-2022-50563

Summary

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix UAF in run_timer_softirq()

When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows:

BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

    use                                  free

do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed

This can be easily reproduced using:

  1. create thin-pool
  2. dmsetup suspend pool
  3. dmsetup resume pool
  4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in __pool_destroy().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 7ee059d06a5d3c15465959e0472993e80fbe4e81affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 550a4fac7ecfee5bac6a0dd772456ca62fb72f46affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < e8b8e0d2bbf7d1172c4f435621418e29ee408d46affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 7ae6aa649394e1e7f6dafb55ce0d578c0572a280affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 34fe9c2251f19786a6689149a6212c6c0de1d63baffected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 34cd15d83b7206188d440b29b68084fcafde9395affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 94e231c9d6f2648d2f1f68e7f476e050ee0a6159affected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < d9971fa4d8bde63d49c743c1b32d12fbbd3a30bdaffected
LinuxLinux991d9fa02da0dd1f843dc011376965e0c8c6c9b5 < 88430ebcbc0ec637b710b947738839848c20feffaffected
LinuxLinux3.2affected
LinuxLinux0 < 3.2unaffected
LinuxLinux4.9.337 <= 4.9.*unaffected
LinuxLinux4.14.303 <= 4.14.*unaffected
LinuxLinux4.19.270 <= 4.19.*unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.87 <= 5.15.*unaffected
LinuxLinux6.0.18 <= 6.0.*unaffected
LinuxLinux6.1.4 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References