In the Linux kernel, the following vulnerability has been resolved:
blktrace: Fix uaf in blk_trace access after removing by sysfs
There is an use-after-free problem triggered by following process:
P1(sda) P2(sdb)
echo 0 > /sys/block/sdb/trace/enable
blk_trace_remove_queue
synchronize_rcu
blk_trace_free
relay_close
rcureadlock _blkaddtrace tracenotetsk (Iterate runningtracelist) relayclosebuf relaydestroybuf kfree(buf) tracenote(sdb's bt) relayreserve buf->offset <- nullptr deference (use-after-free) !!! rcuread_unlock
[ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: errorcode(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:tracenote.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] _blkaddtrace.cold+0x137/0x1a3 [ 502.733734] blkaddtracerq+0x7b/0xd0 [ 502.734207] blkaddtracerqissue+0x54/0xa0 [ 502.734755] blkmqstartrequest+0xde/0x1b0 [ 502.735287] scsiqueuerq+0x528/0x1140 ... [ 502.742704] sgnewwrite.isra.0+0x16e/0x3e0 [ 502.747501] sgioctl+0x466/0x1100
Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sdb, BLKTRACESTART)
echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blktracefree()
ioctl$SGIO(/dev/sda, SGIO, ...) // Enters tracenotetsk() after blktracefree() returned // Use mdelay in rcu region rather than msleep(which may schedule out)
Remove blktrace from runninglist before calling blktracefree() by sysfs if blktrace is at Blktracerunning state.