ZDI-CAN-22273: New Vulnerability Report
From: zdi-disclosures@xxxxxxxxxxxxxx
Date: Fri Oct 20 2023 - 11:30:28 EST
The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-22273: Linux Kernel USB/IP VHCI Driver Race Condition Privilege Escalation Vulnerability
-- CVSS -----------------------------------------
7.1: AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Linux - Kernel
-- VULNERABILITY DETAILS ------------------------
* Version tested:6.6-rc3
* Installer file:-
* Platform tested:debian bullseye
---
### Analysis
```
race condition bug exists in the usb/ip VHCI driver
it leads to UAF on `struct usb_device`
thread 1 thread 2
vhci_device_reset() vhci_urb_enqueue()
usb_put_dev(vdev->udev);
usb_put_dev(vdev->udev); // free
vdev->udev = usb_get_dev(urb->dev); // UAF
vdev->udev = NULL;
```
here is the patch in order to trigger the bug more easier
```
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 37d1fc34e..7242244d7 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -11,7 +11,7 @@
#include <linux/module.h>
#include <linux/platform_device.h>
#include <linux/slab.h>
-
+#include <linux/delay.h>
#include "usbip_common.h"
#include "vhci.h"
@@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
usbip_dbg_vhci_hc(
"Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
+ mdelay(200);
usb_put_dev(vdev->udev);
vdev->udev = usb_get_dev(urb->dev);
goto out;
@@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud)
vdev->devid = 0;
usb_put_dev(vdev->udev);
+ mdelay(200);
vdev->udev = NULL;
if (ud->tcp_socket) {
```
KASAN report
```
==================================================================
BUG: KASAN: slab-use-after-free in kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636
Read of size 1 at addr ffff88804960a0e4 by task kworker/1:1/28
CPU: 1 PID: 28 Comm: kworker/1:1 Not tainted 6.6.0-rc3-dirty #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack /root/linux/lib/dump_stack.c:88
dump_stack_lvl+0xd9/0x1b0 /root/linux/lib/dump_stack.c:106
print_address_description /root/linux/mm/kasan/report.c:364
print_report+0xc4/0x620 /root/linux/mm/kasan/report.c:475
kasan_report+0xda/0x110 /root/linux/mm/kasan/report.c:588
kobject_get+0x130/0x140 /root/linux/lib/kobject.c:636
get_device+0x22/0x30 /root/linux/drivers/base/core.c:3720
usb_get_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:765
vhci_urb_enqueue+0x5d2/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:786
usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535
usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581
usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59
usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103
usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154
get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725
hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986
hub_port_connect /root/linux/drivers/usb/core/hub.c:5369
hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
port_event /root/linux/drivers/usb/core/hub.c:5740
hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
process_scheduled_works /root/linux/kernel/workqueue.c:2703
worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304
</TASK>
Allocated by task 28:
kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52
____kasan_kmalloc /root/linux/mm/kasan/common.c:374
__kasan_kmalloc+0xa3/0xb0 /root/linux/mm/kasan/common.c:383
kmalloc /root/linux/./include/linux/slab.h:599
kzalloc /root/linux/./include/linux/slab.h:720
usb_alloc_dev+0x55/0xdb0 /root/linux/drivers/usb/core/usb.c:650
hub_port_connect /root/linux/drivers/usb/core/hub.c:5343
hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
port_event /root/linux/drivers/usb/core/hub.c:5740
hub_event+0x2853/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
process_scheduled_works /root/linux/kernel/workqueue.c:2703
worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304
Freed by task 28:
kasan_save_stack+0x33/0x50 /root/linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x30 /root/linux/mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 /root/linux/mm/kasan/generic.c:522
____kasan_slab_free /root/linux/mm/kasan/common.c:236
____kasan_slab_free+0x138/0x190 /root/linux/mm/kasan/common.c:200
kasan_slab_free /root/linux/./include/linux/kasan.h:164
__cache_free /root/linux/mm/slab.c:3370
__do_kmem_cache_free /root/linux/mm/slab.c:3557
__kmem_cache_free+0xcc/0x2d0 /root/linux/mm/slab.c:3564
device_release+0xa1/0x240 /root/linux/drivers/base/core.c:2484
kobject_cleanup /root/linux/lib/kobject.c:682
kobject_release /root/linux/lib/kobject.c:716
kref_put /root/linux/./include/linux/kref.h:65
kobject_put+0x1d0/0x440 /root/linux/lib/kobject.c:733
put_device+0x1f/0x30 /root/linux/drivers/base/core.c:3732
usb_put_dev+0x23/0x30 /root/linux/drivers/usb/core/usb.c:780
vhci_urb_enqueue+0x5ac/0xea0 /root/linux/drivers/usb/usbip/vhci_hcd.c:785
usb_hcd_submit_urb+0x2c5/0x2100 /root/linux/drivers/usb/core/hcd.c:1535
usb_submit_urb+0x878/0x1720 /root/linux/drivers/usb/core/urb.c:581
usb_start_wait_urb+0x103/0x4c0 /root/linux/drivers/usb/core/message.c:59
usb_internal_control_msg /root/linux/drivers/usb/core/message.c:103
usb_control_msg+0x327/0x4a0 /root/linux/drivers/usb/core/message.c:154
get_bMaxPacketSize0.constprop.0+0xa5/0x1c0 /root/linux/drivers/usb/core/hub.c:4725
hub_port_init+0xb14/0x3840 /root/linux/drivers/usb/core/hub.c:4986
hub_port_connect /root/linux/drivers/usb/core/hub.c:5369
hub_port_connect_change /root/linux/drivers/usb/core/hub.c:5580
port_event /root/linux/drivers/usb/core/hub.c:5740
hub_event+0x2b64/0x4e00 /root/linux/drivers/usb/core/hub.c:5822
process_one_work+0x884/0x15c0 /root/linux/kernel/workqueue.c:2630
process_scheduled_works /root/linux/kernel/workqueue.c:2703
worker_thread+0x8b9/0x1290 /root/linux/kernel/workqueue.c:2784
kthread+0x33c/0x440 /root/linux/kernel/kthread.c:388
ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304
The buggy address belongs to the object at ffff88804960a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 228 bytes inside of
freed 2048-byte region [ffff88804960a000, ffff88804960a800)
The buggy address belongs to the physical page:
page:ffffea0001258280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4960a
flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0x1()
raw: 04fff00000000800 ffff888012c40800 ffffea000101fb10 ffffea00011b6310
raw: 0000000000000000 ffff88804960a000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 7649, tgid 7644 (in:imklog), ts 604730580605, free_ts 603625435624
set_page_owner /root/linux/./include/linux/page_owner.h:31
post_alloc_hook+0x2cf/0x340 /root/linux/mm/page_alloc.c:1536
prep_new_page /root/linux/mm/page_alloc.c:1543
get_page_from_freelist+0xee0/0x2f20 /root/linux/mm/page_alloc.c:3170
__alloc_pages+0x1d0/0x4a0 /root/linux/mm/page_alloc.c:4426
__alloc_pages_node /root/linux/./include/linux/gfp.h:237
kmem_getpages /root/linux/mm/slab.c:1356
cache_grow_begin+0x99/0x3a0 /root/linux/mm/slab.c:2550
cache_alloc_refill+0x294/0x3a0 /root/linux/mm/slab.c:2923
____cache_alloc /root/linux/mm/slab.c:2999
____cache_alloc /root/linux/mm/slab.c:2982
__do_cache_alloc /root/linux/mm/slab.c:3182
slab_alloc_node /root/linux/mm/slab.c:3230
__kmem_cache_alloc_node+0x3c5/0x470 /root/linux/mm/slab.c:3521
kmalloc_trace+0x25/0xe0 /root/linux/mm/slab_common.c:1114
kmalloc /root/linux/./include/linux/slab.h:599
syslog_print+0xf9/0x5d0 /root/linux/kernel/printk/printk.c:1553
do_syslog+0x2d4/0x580 /root/linux/kernel/printk/printk.c:1732
kmsg_read+0x93/0xc0 /root/linux/fs/proc/kmsg.c:37
pde_read /root/linux/fs/proc/inode.c:316
proc_reg_read+0x123/0x330 /root/linux/fs/proc/inode.c:326
vfs_read+0x1ce/0x930 /root/linux/fs/read_write.c:468
ksys_read+0x12f/0x250 /root/linux/fs/read_write.c:613
do_syscall_x64 /root/linux/arch/x86/entry/common.c:50
do_syscall_64+0x38/0xb0 /root/linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd /root/linux/arch/x86/entry/entry_64.S:120
page last free stack trace:
reset_page_owner /root/linux/./include/linux/page_owner.h:24
free_pages_prepare /root/linux/mm/page_alloc.c:1136
free_unref_page_prepare+0x476/0xa40 /root/linux/mm/page_alloc.c:2312
free_unref_page+0x33/0x3b0 /root/linux/mm/page_alloc.c:2405
slab_destroy /root/linux/mm/slab.c:1608
slabs_destroy+0x85/0xc0 /root/linux/mm/slab.c:1628
cache_flusharray /root/linux/mm/slab.c:3341
___cache_free+0x2b7/0x420 /root/linux/mm/slab.c:3404
qlink_free /root/linux/mm/kasan/quarantine.c:166
qlist_free_all+0x4c/0x1b0 /root/linux/mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x18e/0x1d0 /root/linux/mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x65/0x90 /root/linux/mm/kasan/common.c:305
kasan_slab_alloc /root/linux/./include/linux/kasan.h:188
slab_post_alloc_hook /root/linux/mm/slab.h:762
slab_alloc_node /root/linux/mm/slab.c:3237
__kmem_cache_alloc_node+0x163/0x470 /root/linux/mm/slab.c:3521
__do_kmalloc_node /root/linux/mm/slab_common.c:1022
__kmalloc_node+0x52/0x110 /root/linux/mm/slab_common.c:1030
kmalloc_node /root/linux/./include/linux/slab.h:619
__vmalloc_area_node /root/linux/mm/vmalloc.c:3125
__vmalloc_node_range+0x3e9/0x1540 /root/linux/mm/vmalloc.c:3320
alloc_thread_stack_node /root/linux/kernel/fork.c:309
dup_task_struct /root/linux/kernel/fork.c:1118
copy_process+0x13e3/0x73f0 /root/linux/kernel/fork.c:2327
kernel_clone+0xfd/0x920 /root/linux/kernel/fork.c:2909
kernel_thread+0xc0/0x100 /root/linux/kernel/fork.c:2971
create_kthread /root/linux/kernel/kthread.c:411
kthreadd+0x4fb/0x7d0 /root/linux/kernel/kthread.c:746
ret_from_fork+0x45/0x80 /root/linux/arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 /root/linux/arch/x86/entry/entry_64.S:304
Memory state around the buggy address:
ffff888049609f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88804960a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804960a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804960a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804960a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@xxxxxxxxxxxxxx
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Attachment:
ZDI-CAN-22273.zip
Description: ZDI-CAN-22273.zip