Description
In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Product status
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 198aa230a6f8c1f6af7ed26b29180749c3e79e4d
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before d3ba312675911ff9e3fefefd551751e153a9f0a9
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 3692884bd6187d89d41eef81e5a9724519fd01c1
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 6b69593f72e1bfba6ca47ca8d9b619341fded7d6
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 443a1721806b6ff6303b5229e9811d68172d622f
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 742012f6bf29553fdc460bf646a58df3a7b43d01
87aac3a80af5cbad93e63250e8a1e19095ba0d30 (git) before 9517b82d8d422d426a988b213fdd45c6b417b86d
0a4e383fc3aa6540f804c4fd1184a96ae5de6ef8 (git)
2ef6f4bd60411934e3fc2715442c2afe70f84bf3 (git)
742fd49cf811ca164489e339b862e3fb8e240a73 (git)
14df8724aeeef338172e2a2d6efadc989921ca0f (git)
5.10
Any version before 5.10
5.10.248 (semver)
5.15.198 (semver)
6.1.160 (semver)
6.6.120 (semver)
6.12.63 (semver)
6.17.13 (semver)
6.18.2 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/198aa230a6f8c1f6af7ed26b29180749c3e79e4d
git.kernel.org/...c/d3ba312675911ff9e3fefefd551751e153a9f0a9
git.kernel.org/...c/3692884bd6187d89d41eef81e5a9724519fd01c1
git.kernel.org/...c/1ba2ced2bbdf7e64a30c3e88c70ea8bc208d1509
git.kernel.org/...c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6
git.kernel.org/...c/443a1721806b6ff6303b5229e9811d68172d622f
git.kernel.org/...c/742012f6bf29553fdc460bf646a58df3a7b43d01
git.kernel.org/...c/9517b82d8d422d426a988b213fdd45c6b417b86d