In the Linux kernel, the following vulnerability has been resolved:
bootconfig: use memblockfreelate to free xbc memory to buddy
On the time to free xbc memory in xbcexit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblockfree() called by xbcexit() even causes UAF bugs on architectures with CONFIGARCHKEEPMEMBLOCK disabled like x86. Following KASAN logs shows this case.
This patch fixes the xbc memory free problem by calling memblockfree() in early xbc init error rewind path and calling memblockfree_late() in xbc exit path to free memory to buddy allocator.
[ 9.410890] ================================================================== [ 9.418962] BUG: KASAN: use-after-free in memblockisolaterange+0x12d/0x260 [ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1
[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 [ 9.460789] Call Trace: [ 9.463518] <TASK> [ 9.465859] dumpstacklvl+0x53/0x70 [ 9.469949] printreport+0xce/0x610 [ 9.473944] ? _virtaddrvalid+0xf5/0x1b0 [ 9.478619] ? memblockisolaterange+0x12d/0x260 [ 9.483877] kasanreport+0xc6/0x100 [ 9.487870] ? memblockisolaterange+0x12d/0x260 [ 9.493125] memblockisolaterange+0x12d/0x260 [ 9.498187] memblockphysfree+0xb4/0x160 [ 9.502762] ? _pfxmemblockphysfree+0x10/0x10 [ 9.508021] ? mutexunlock+0x7e/0xd0 [ 9.512111] ? _pfxmutexunlock+0x10/0x10 [ 9.516786] ? kernelinitfreeable+0x2d4/0x430 [ 9.521850] ? _pfxkernelinit+0x10/0x10 [ 9.526426] xbcexit+0x17/0x70 [ 9.529935] kernelinit+0x38/0x1e0 [ 9.533829] ? rawspinunlockirq+0xd/0x30 [ 9.538601] retfromfork+0x2c/0x50 [ 9.542596] ? _pfxkernelinit+0x10/0x10 [ 9.547170] retfromforkasm+0x1a/0x30 [ 9.551552] </TASK>
[ 9.555649] The buggy address belongs to the physical page: [ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 [ 9.570821] flags: 0x200000000000000(node=0|zone=2) [ 9.576271] page_type: 0xffffffff() [ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 [ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 9.597476] page dumped because: kasan: bad access detected
[ 9.605362] Memory state around the buggy address: [ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.634930] ^ [ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.654675] ==================================================================