Re: [PATCH] atm: Fix use-after-free bug in atm_dev_register()

[Leon Romanovsky <leon@kernel.org>]

On Sat, Dec 03, 2022 at 01:09:24PM +0200, Nir Levy wrote:
> When device_register() return failed in atm_register_sysfs,
> the program will return to atm_dev_register and will kfree
> the device. As the comment of device_register() says,
> put_device() needs to be used to give up the reference
> in the error path. Using kfree instead triggers a UAF,
> as shown by the following KASAN report, obtained by causing
> device_register() to fail. This patch calls put_device instead
> of kfree when atm_register_sysfs has failed, and call kfree
> only when atm_proc_dev_register has failed.
> 
> KASAN report details as below:
> 
> [   94.341664] BUG: KASAN: use-after-free in sysfs_kf_seq_show+0x306/0x440
> [   94.341674] Read of size 8 at addr ffff88819a8a30e8 by task systemd-udevd/484
> 
> [   94.341680] CPU: 3 PID: 484 Comm: systemd-udevd Tainted: G            E      6.1.0-rc1+ #1
> [   94.341684] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
> [   94.341703] Call Trace:
> [   94.341705]  <TASK>
> [   94.341707]  dump_stack_lvl+0x49/0x63
> [   94.341713]  print_report+0x177/0x46e
> [   94.341717]  ? kasan_complete_mode_report_info+0x7c/0x210
> [   94.341720]  ? sysfs_kf_seq_show+0x306/0x440
> [   94.341753]  kasan_report+0xb0/0x140
> [   94.341757]  ? sysfs_kf_seq_show+0x306/0x440
> [   94.341760]  __asan_report_load8_noabort+0x14/0x20
> [   94.341763]  sysfs_kf_seq_show+0x306/0x440
> [   94.341766]  kernfs_seq_show+0x145/0x1b0
> [   94.341769]  seq_read_iter+0x408/0x1080
> [   94.341774]  kernfs_fop_read_iter+0x3d5/0x540
> [   94.341794]  vfs_read+0x542/0x800
> [   94.341797]  ? kernel_read+0x130/0x130
> [   94.341800]  ? __kasan_check_read+0x11/0x20
> [   94.341824]  ? get_nth_filter.part.0+0x200/0x200
> [   94.341828]  ksys_read+0x116/0x220
> [   94.341831]  ? __ia32_sys_pwrite64+0x1f0/0x1f0
> [   94.341849]  ? __secure_computing+0x17c/0x2d0
> [   94.341852]  __x64_sys_read+0x72/0xb0
> [   94.341875]  do_syscall_64+0x59/0x90
> [   94.341878]  ? exc_page_fault+0x72/0xf0
> [   94.341881]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> [   94.341885] RIP: 0033:0x7fc391f14992
> [   94.341888] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
> [   94.341891] RSP: 002b:00007ffe33fed818 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> [   94.341896] RAX: ffffffffffffffda RBX: 0000000000001018 RCX: 00007fc391f14992
> [   94.341898] RDX: 0000000000001018 RSI: 0000558a696b0880 RDI: 000000000000000e
> [   94.341900] RBP: 0000558a696b0880 R08: 0000000000000000 R09: 0000558a696b0880
> [   94.341902] R10: 00007fc39201a300 R11: 0000000000000246 R12: 000000000000000e
> [   94.341904] R13: 0000000000001017 R14: 0000000000000002 R15: 00007ffe33fed840
> [   94.341908]  </TASK>
> 
> [   94.341911] Allocated by task 2613:
> [   94.341914]  kasan_save_stack+0x26/0x50
> [   94.341932]  kasan_set_track+0x25/0x40
> [   94.341934]  kasan_save_alloc_info+0x1e/0x30
> [   94.341936]  __kasan_kmalloc+0xb4/0xc0
> [   94.341938]  kmalloc_trace+0x4a/0xb0
> [   94.341941]  atm_dev_register+0x5d/0x700 [atm]
> [   94.341949]  atmtcp_create+0x77/0x1f0 [atmtcp]
> [   94.341953]  atmtcp_ioctl+0x12d/0xb9f [atmtcp]
> [   94.341957]  do_vcc_ioctl+0xfe/0x640 [atm]
> [   94.341962]  vcc_ioctl+0x10/0x20 [atm]
> [   94.341968]  svc_ioctl+0x587/0x6c0 [atm]
> [   94.341973]  sock_do_ioctl+0xd7/0x1e0
> [   94.341977]  sock_ioctl+0x1b5/0x560
> [   94.341979]  __x64_sys_ioctl+0x132/0x1b0
> [   94.341981]  do_syscall_64+0x59/0x90
> [   94.341983]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> [   94.341986] Freed by task 2613:
> [   94.341988]  kasan_save_stack+0x26/0x50
> [   94.341991]  kasan_set_track+0x25/0x40
> [   94.341993]  kasan_save_free_info+0x2e/0x50
> [   94.341995]  ____kasan_slab_free+0x174/0x1e0
> [   94.341997]  __kasan_slab_free+0x12/0x20
> [   94.342000]  slab_free_freelist_hook+0xd0/0x1a0
> [   94.342002]  __kmem_cache_free+0x193/0x2c0
> [   94.342005]  kfree+0x79/0x120
> [   94.342007]  atm_dev_register.cold+0x46/0x64 [atm]
> [   94.342013]  atmtcp_create+0x77/0x1f0 [atmtcp]
> [   94.342016]  atmtcp_ioctl+0x12d/0xb9f [atmtcp]
> [   94.342020]  do_vcc_ioctl+0xfe/0x640 [atm]
> [   94.342077]  vcc_ioctl+0x10/0x20 [atm]
> [   94.342083]  svc_ioctl+0x587/0x6c0 [atm]
> [   94.342088]  sock_do_ioctl+0xd7/0x1e0
> [   94.342091]  sock_ioctl+0x1b5/0x560
> [   94.342093]  __x64_sys_ioctl+0x132/0x1b0
> [   94.342095]  do_syscall_64+0x59/0x90
> [   94.342098]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> [   94.342102] The buggy address belongs to the object at ffff88819a8a3000 which belongs to the cache kmalloc-1k of size 1024
> [   94.342105] The buggy address is located 232 bytes inside of 1024-byte region [ffff88819a8a3000, ffff88819a8a3400)
> 
> [   94.342109] The buggy address belongs to the physical page:
> [   94.342111] page:0000000099993f0a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19a8a0
> [   94.342114] head:0000000099993f0a order:3 compound_mapcount:0 compound_pincount:0
> [   94.342116] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
> [   94.342136] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042dc0
> [   94.342138] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> [   94.342139] page dumped because: kasan: bad access detected
> 
> [   94.342141] Memory state around the buggy address:
> [   94.342143]  ffff88819a8a2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [   94.342145]  ffff88819a8a3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [   94.342147] >ffff88819a8a3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [   94.342148]                                                           ^
> [   94.342150]  ffff88819a8a3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [   94.342152]  ffff88819a8a3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 
> Signed-off-by: Nir Levy <bhr166@gmail.com>
> ---
>  net/atm/resources.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Please add target in patch title - {PATCH net] ...
There is a need to add Fixes line too.

> 
> diff --git a/net/atm/resources.c b/net/atm/resources.c
> index 2b2d33eeaf20..9ec07d66783b 100644
> --- a/net/atm/resources.c
> +++ b/net/atm/resources.c
> @@ -112,12 +112,14 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
>  
>  	if (atm_proc_dev_register(dev) < 0) {
>  		pr_err("atm_proc_dev_register failed for dev %s\n", type);
> +		kfree(dev);
>  		goto out_fail;
>  	}
>  
>  	if (atm_register_sysfs(dev, parent) < 0) {
>  		pr_err("atm_register_sysfs failed for dev %s\n", type);
>  		atm_proc_dev_deregister(dev);
> +		put_device(&dev->class_dev);

The right fix is to change atm_register_sysfs() to call this put_device
and worth to get rid from device_del() which should be replaced with
device_unregister().

Thanks

>  		goto out_fail;
>  	}
>  
> @@ -128,7 +130,6 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
>  	return dev;
>  
>  out_fail:
> -	kfree(dev);
>  	dev = NULL;
>  	goto out;
>  }
> -- 
> 2.34.1
>