| Message ID | DM5PR0102MB347711AF2F5655852AC60BEB80DBA@DM5PR0102MB3477.prod.exchangelabs.com |
|---|---|
| State | New |
| Headers | show |
| Series | ZDI-CAN-22273: New Vulnerability Report | expand |
On Fri, Feb 16, 2024 at 05:27:57PM +0000, zdi-disclosures@trendmicro.com wrote: > Hello, > Do you have any updates to share regarding this vulnerability? The 120-day deadline for this case was January 31, 2024. We will publish this soon in accordance with the ZDI 120-day Disclosure policy if there is not an available fix. I asked some questions to this, a few hours after you sent this to us, yet we recieved no response and as such it did not go anywhere. So this is all on you now. Also note, you are talking on a public mailing list, there is not much left to "disclose" :) thanks, greg k-h
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 37d1fc34e..7242244d7 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -11,7 +11,7 @@ #include <linux/module.h> #include <linux/platform_device.h> #include <linux/slab.h> - +#include <linux/delay.h> #include "usbip_common.h" #include "vhci.h" @@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag usbip_dbg_vhci_hc( "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n"); + mdelay(200); usb_put_dev(vdev->udev); vdev->udev = usb_get_dev(urb->dev); goto out; @@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud) vdev->devid = 0; usb_put_dev(vdev->udev); + mdelay(200); vdev->udev = NULL; if (ud->tcp_socket) {
The attachment could not be scanned for viruses because it is a password protected file. ZDI-CAN-22273: Linux Kernel USB/IP VHCI Driver Race Condition Privilege Escalation Vulnerability -- CVSS ----------------------------------------- 7.1: AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Linux - Kernel -- VULNERABILITY DETAILS ------------------------ * Version tested:6.6-rc3 * Installer file:- * Platform tested:debian bullseye --- ### Analysis ``` race condition bug exists in the usb/ip VHCI driver it leads to UAF on `struct usb_device` thread 1 thread 2 vhci_device_reset() vhci_urb_enqueue() usb_put_dev(vdev->udev); usb_put_dev(vdev->udev); // free vdev->udev = usb_get_dev(urb->dev); // UAF vdev->udev = NULL; ``` here is the patch in order to trigger the bug more easier ``` ``` KASAN report ``` ================================================================== BUG: KASAN: slab-use-after-free in kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636 Read of size 1 at addr ffff88804960a0e4 by task kworker/1:1/28 CPU: 1 PID: 28 Comm: kworker/1:1 Not tainted 6.6.0-rc3-dirty #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack /root/linux/lib/dump_stack.c:88 dump_stack_lvl+0xd9/0x1b0 /root/linux/lib/dump_stack.c:106 print_address_description /root/linux/mm/kasan/report.c:364 print_report+0xc4/0x620 /root/linux/mm/kasan/report.c:475 kasan_report+0xda/0x110 /root/linux/mm/kasan/report.c:588 kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636 get_device+0x22/0x30 /root/linux/drivers/base/core.c:3720 usb_get_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:765 vhci_urb_enqueue+0x5d2/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:786 usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535 usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581 usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59 usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103 usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154 get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725 hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986 hub_port_connect /root/linux/drivers/usb/core/hub.c:5369 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580 port_event /root/linux/drivers/usb/core/hub.c:5740 hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630 process_scheduled_works /root/linux/kernel/workqueue.c:2703 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304 </TASK> Allocated by task 28: kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45 kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52 ____kasan_kmalloc /root/linux/mm/kasan/common.c:374 __kasan_kmalloc+0xa3/0xb0 /root/linux/mm/kasan/common.c:383 kmalloc /root/linux/./include/linux/slab.h:599 kzalloc /root/linux/./include/linux/slab.h:720 usb_alloc_dev+0x55/0xdb0 /root/linux/drivers/usb/core/usb.c:650 hub_port_connect /root/linux/drivers/usb/core/hub.c:5343 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580 port_event /root/linux/drivers/usb/core/hub.c:5740 hub_event+0x2853/0x4e00 /root/linux/drivers/usb/core/hub.c:5822 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630 process_scheduled_works /root/linux/kernel/workqueue.c:2703 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304 Freed by task 28: kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45 kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52 kasan_save_free_info+0x28/0x40 /root/linux/mm/kasan/generic.c:522 ____kasan_slab_free /root/linux/mm/kasan/common.c:236 ____kasan_slab_free+0x138/0x190 /root/linux/mm/kasan/common.c:200 kasan_slab_free /root/linux/./include/linux/kasan.h:164 __cache_free /root/linux/mm/slab.c:3370 __do_kmem_cache_free /root/linux/mm/slab.c:3557 __kmem_cache_free+0xcc/0x2d0 /root/linux/mm/slab.c:3564 device_release+0xa1/0x240 /root/linux/drivers/base/core.c:2484 kobject_cleanup /root/linux/lib/kobject.c:682 kobject_release /root/linux/lib/kobject.c:716 kref_put /root/linux/./include/linux/kref.h:65 kobject_put+0x1d0/0x440 /root/linux/lib/kobject.c:733 put_device+0x1f/0x30 /root/linux/drivers/base/core.c:3732 usb_put_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:780 vhci_urb_enqueue+0x5ac/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:785 usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535 usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581 usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59 usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103 usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154 get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725 hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986 hub_port_connect /root/linux/drivers/usb/core/hub.c:5369 hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580 port_event /root/linux/drivers/usb/core/hub.c:5740 hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822 process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630 process_scheduled_works /root/linux/kernel/workqueue.c:2703 worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784 kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304 The buggy address belongs to the object at ffff88804960a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 228 bytes inside of freed 2048-byte region [ffff88804960a000, ffff88804960a800) The buggy address belongs to the physical page: page:ffffea0001258280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4960a flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff) page_type: 0x1() raw: 04fff00000000800 ffff888012c40800 ffffea000101fb10 ffffea00011b6310 raw: 0000000000000000 ffff88804960a000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 7649, tgid 7644 (in:imklog), ts 604730580605, free_ts 603625435624 set_page_owner /root/linux/./include/linux/page_owner.h:31 post_alloc_hook+0x2cf/0x340 /root/linux/mm/page_alloc.c:1536 prep_new_page /root/linux/mm/page_alloc.c:1543 get_page_from_freelist+0xee0/0x2f20 /root/linux/mm/page_alloc.c:3170 __alloc_pages+0x1d0/0x4a0 /root/linux/mm/page_alloc.c:4426 __alloc_pages_node /root/linux/./include/linux/gfp.h:237 kmem_getpages /root/linux/mm/slab.c:1356 cache_grow_begin+0x99/0x3a0 /root/linux/mm/slab.c:2550 cache_alloc_refill+0x294/0x3a0 /root/linux/mm/slab.c:2923 ____cache_alloc /root/linux/mm/slab.c:2999 ____cache_alloc /root/linux/mm/slab.c:2982 __do_cache_alloc /root/linux/mm/slab.c:3182 slab_alloc_node /root/linux/mm/slab.c:3230 __kmem_cache_alloc_node+0x3c5/0x470 /root/linux/mm/slab.c:3521 kmalloc_trace+0x25/0xe0 /root/linux/mm/slab_common.c:1114 kmalloc /root/linux/./include/linux/slab.h:599 syslog_print+0xf9/0x5d0 /root/linux/kernel/printk/printk.c:1553 do_syslog+0x2d4/0x580 /root/linux/kernel/printk/printk.c:1732 kmsg_read+0x93/0xc0 /root/linux/fs/proc/kmsg.c:37 pde_read /root/linux/fs/proc/inode.c:316 proc_reg_read+0x123/0x330 /root/linux/fs/proc/inode.c:326 vfs_read+0x1ce/0x930 /root/linux/fs/read_write.c:468 ksys_read+0x12f/0x250 /root/linux/fs/read_write.c:613 do_syscall_x64 /root/linux/arch/x86/entry/common.c:50 do_syscall_64+0x38/0xb0 /root/linux/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd /root/linux/arch/x86/entry/entry_64.S:120 page last free stack trace: reset_page_owner /root/linux/./include/linux/page_owner.h:24 free_pages_prepare /root/linux/mm/page_alloc.c:1136 free_unref_page_prepare+0x476/0xa40 /root/linux/mm/page_alloc.c:2312 free_unref_page+0x33/0x3b0 /root/linux/mm/page_alloc.c:2405 slab_destroy /root/linux/mm/slab.c:1608 slabs_destroy+0x85/0xc0 /root/linux/mm/slab.c:1628 cache_flusharray /root/linux/mm/slab.c:3341 ___cache_free+0x2b7/0x420 /root/linux/mm/slab.c:3404 qlink_free /root/linux/mm/kasan/quarantine.c:166 qlist_free_all+0x4c/0x1b0 /root/linux/mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x18e/0x1d0 /root/linux/mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x65/0x90 /root/linux/mm/kasan/common.c:305 kasan_slab_alloc /root/linux/./include/linux/kasan.h:188 slab_post_alloc_hook /root/linux/mm/slab.h:762 slab_alloc_node /root/linux/mm/slab.c:3237 __kmem_cache_alloc_node+0x163/0x470 /root/linux/mm/slab.c:3521 __do_kmalloc_node /root/linux/mm/slab_common.c:1022 __kmalloc_node+0x52/0x110 /root/linux/mm/slab_common.c:1030 kmalloc_node /root/linux/./include/linux/slab.h:619 __vmalloc_area_node /root/linux/mm/vmalloc.c:3125 __vmalloc_node_range+0x3e9/0x1540 /root/linux/mm/vmalloc.c:3320 alloc_thread_stack_node /root/linux/kernel/fork.c:309 dup_task_struct /root/linux/kernel/fork.c:1118 copy_process+0x13e3/0x73f0 /root/linux/kernel/fork.c:2327 kernel_clone+0xfd/0x920 /root/linux/kernel/fork.c:2909 kernel_thread+0xc0/0x100 /root/linux/kernel/fork.c:2971 create_kthread /root/linux/kernel/kthread.c:411 kthreadd+0x4fb/0x7d0 /root/linux/kernel/kthread.c:746 ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304 Memory state around the buggy address: ffff888049609f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804960a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88804960a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804960a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804960a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ``` -- CREDIT --------------------------------------- This vulnerability was discovered by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative -- FURTHER DETAILS ------------------------------ Supporting files: If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosures@trendmicro.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI -------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Please contact us for further details or refer to: http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>