CVE-2021-47375

blktrace: Fix uaf in blk_trace access after removing by sysfs

Severity Score

6.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

blktrace: Fix uaf in blk_trace access after removing by sysfs

There is an use-after-free problem triggered by following process:

P1(sda) P2(sdb)
echo 0 > /sys/block/sdb/trace/enable
blk_trace_remove_queue
synchronize_rcu
blk_trace_free
relay_close
rcu_read_lock
__blk_add_trace
trace_note_tsk
(Iterate running_trace_list)
relay_close_buf
relay_destroy_buf
kfree(buf)
trace_note(sdb's bt)
relay_reserve
buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[ 502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[ 502.715260] #PF: supervisor read access in kernel mode
[ 502.715903] #PF: error_code(0x0000) - not-present page
[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[ 502.717252] Oops: 0000 [#1] SMP
[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[ 502.732872] Call Trace:
[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
[ 502.733734] blk_add_trace_rq+0x7b/0xd0
[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
[ 502.734755] blk_mq_start_request+0xde/0x1b0
[ 502.735287] scsi_queue_rq+0x528/0x1140
...
[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
[ 502.747501] sg_ioctl+0x466/0x1100

Reproduce method:
ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
ioctl(/dev/sda, BLKTRACESTART)
ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
ioctl(/dev/sdb, BLKTRACESTART)

echo 0 > /sys/block/sdb/trace/enable &
// Add delay(mdelay/msleep) before kernel enters blk_trace_free()

ioctl$SG_IO(/dev/sda, SG_IO, ...)
// Enters trace_note_tsk() after blk_trace_free() returned
// Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blktrace: corrige uaf en el acceso a blk_trace después de eliminarlo mediante sysfs. Hay un problema de use after free desencadenado por el siguiente proceso: P1(sda) P2(sdb) echo 0 > /sys /block/sdb/trace/enable blk_trace_remove_queue sincronizar_rcu blk_trace_free relé_cerrar rcu_read_lock __blk_add_trace trace_note_tsk (Iterar running_trace_list) relé_close_buf relé_destroy_buf kfree(buf) trace_note(sdb's bt) relé_reserve buf->offset <- deferencia nullptr (uso-después) -gratis) !!! rcu_read_unlock [502.714379] ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000010 [502.715260] #PF: acceso de lectura de supervisor en modo kernel [502.715903] #PF: error_code(0x0000) - página no presente [502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Vaya: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Seguimiento de llamadas: [ 502.733193] 0x1a3 [502.733734] blk_add_trace_rq+ 0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.7427 04] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Método de reproducción: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb , BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Agrega retraso(mdelay/msleep) antes de que el kernel entre blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Entra trace_note_tsk() después de que blk_trace_free() regresara // Utilice mdelay en la región rcu en lugar de msleep (que puede programarse) Elimine blk_trace de running_list antes de llamar a blk_trace_free() mediante sysfs si blk_trace está en el estado Blktrace_running.

*Credits: N/A

CVSS Scores

CISAv3.1 6.2

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/c71a896154119f4ca9e89d6078f5f63ad60ef199	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5	2021-10-06
https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269	2021-10-06
https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40	2021-10-06
https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222	2021-10-06
https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069	2021-09-30
https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee	2021-09-30
https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26	2021-09-30
https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9	2021-09-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 4.4.286 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 4.4.286"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 4.9.285 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 4.9.285"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 4.14.249 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 4.14.249"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 4.19.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 4.19.209"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 5.4.150 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 5.4.150"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 5.10.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 5.10.70"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 5.14.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 5.14.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.30 < 5.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.30 < 5.15"		en		Affected