The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

ext4: fix slab-use-after-free in ext4\_es\_insert\_extent()

Yikebaer reported an issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4\_es\_insert\_extent+0xc68/0xcb0
fs/ext4/extents\_status.c:894
Read of size 4 at addr ffff888112ecc1a4 by task syz-executor/8438

CPU: 1 PID: 8438 Comm: syz-executor Not tainted 6.5.0-rc5 #1
Call Trace:
 \[...\]
 kasan\_report+0xba/0xf0 mm/kasan/report.c:588
 ext4\_es\_insert\_extent+0xc68/0xcb0 fs/ext4/extents\_status.c:894
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]

Allocated by task 8438:
 \[...\]
 kmem\_cache\_zalloc include/linux/slab.h:693 \[inline\]
 \_\_es\_alloc\_extent fs/ext4/extents\_status.c:469 \[inline\]
 ext4\_es\_insert\_extent+0x672/0xcb0 fs/ext4/extents\_status.c:873
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]

Freed by task 8438:
 \[...\]
 kmem\_cache\_free+0xec/0x490 mm/slub.c:3823
 ext4\_es\_try\_to\_merge\_right fs/ext4/extents\_status.c:593 \[inline\]
 \_\_es\_insert\_extent+0x9f4/0x1440 fs/ext4/extents\_status.c:802
 ext4\_es\_insert\_extent+0x2ca/0xcb0 fs/ext4/extents\_status.c:882
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]
==================================================================

The flow of issue triggering is as follows:
1. remove es
      raw es               es  removed  es1
|-------------------| -> |----|.......|------|

2. insert es
  es   insert   es1      merge with es  es1     merge with es and free es1
|----|.......|------| -> |------------|------| -> |-------------------|

es merges with newes, then merges with es1, frees es1, then determines
if es1->es\_len is 0 and triggers a UAF.

The code flow is as follows:
ext4\_es\_insert\_extent
  es1 = \_\_es\_alloc\_extent(true);
  es2 = \_\_es\_alloc\_extent(true);
  \_\_es\_remove\_extent(inode, lblk, end, NULL, es1)
    \_\_es\_insert\_extent(inode, &newes, es1) ---> insert es1 to es tree
  \_\_es\_insert\_extent(inode, &newes, es2)
    ext4\_es\_try\_to\_merge\_right
      ext4\_es\_free\_extent(inode, es1) --->  es1 is freed
  if (es1 && !es1->es\_len)
    // Trigger UAF by determining if es1 is used.

We determine whether es1 or es2 is used immediately after calling
\_\_es\_remove\_extent() or \_\_es\_insert\_extent() to avoid triggering a
UAF if es1 or es2 is freed.

Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>
Closes: https://lore.kernel.org/lkml/CALcu4raD4h9coiyEBL4Bm0zjDwxC2CyPiTwsP3zFuhot6y9Beg@mail.gmail.com
Fixes: 2a69c45 ("ext4: using nofail preallocation in ext4\_es\_insert\_extent()")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230815070808.3377171-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

*   Loading branch information

CVE-2023-45898: ext4: fix slab-use-after-free in ext4_es_insert_extent() · torvalds/linux@768d612

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.2 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.

Hello,

When using Healer to fuzz the Linux kernel, the following crash  
was triggered on:

HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)

git tree: upstream

I tried to reproduce this bug on v6.5-rc3(HEAD commit:  
6eaae198076080886b9e7d57f4ae06fa782f90ef), it still exists.

console output:  
https://drive.google.com/file/d/1Lq71bFwtEDix82PEf\_193CLG6uh1Pjj9/view?usp=drive\_link  
kernel config: https://drive.google.com/file/d/1dApy7OR4KDYdhF96ZUowZQ1r-uLYTd-0/view?usp=drive\_link  
C reproducer: https://drive.google.com/file/d/1Dkj31wwYP7p-AEJeemD3yrIUr7-VdBqF/view?usp=drive\_link  
Syzlang reproducer:  
https://drive.google.com/file/d/1ib6zTs4srKI1RnUcHG3mSZ5HeW7rZhnd/view?usp=drive\_link

If you fix this issue, please add the following tag to the commit:  
Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>

WARNING: CPU: 0 PID: 10232 at mm/gup.c:229 try\_grab\_page+0x2dd/0x3a0  
mm/gup.c:229  
Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>

Modules linked in:  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
FS: 00007fc6339a4640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000  
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 0000000000000000 CR3: 000000002c3ea000 CR4: 0000000000752ef0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
<TASK>  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Kernel panic - not syncing: kernel: panic\_on\_warn set ...  
CPU: 0 PID: 10232 Comm: syz-executor Tainted: G B 6.5.0-rc2 #1  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
<TASK>  
\_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
dump\_stack\_lvl+0x92/0xf0 lib/dump\_stack.c:106  
panic+0x570/0x620 kernel/panic.c:340  
check\_panic\_on\_warn+0x8e/0x90 kernel/panic.c:236  
\_\_warn+0xee/0x340 kernel/panic.c:673  
\_\_report\_bug lib/bug.c:199 \[inline\]  
report\_bug+0x25d/0x460 lib/bug.c:219  
handle\_bug+0x3c/0x70 arch/x86/kernel/traps.c:324  
exc\_invalid\_op+0x14/0x40 arch/x86/kernel/traps.c:345  
asm\_exc\_invalid\_op+0x16/0x20 arch/x86/include/asm/idtentry.h:568  
RIP: 0010:try\_grab\_page+0x2dd/0x3a0 mm/gup.c:229  
Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65  
96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b  
e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d  
RSP: 0018:ffffc9000e99f268 EFLAGS: 00010202  
RAX: 0000000000002f80 RBX: ffffea00003ae340 RCX: ffffc90002d79000  
RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374  
RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e  
R10: ffffea00003ae377 R11: 0000000000000000 R12: ffffea00003ae374  
R13: 0000000000210052 R14: ffffea00003ae340 R15: 000000000eb8d225  
follow\_page\_pte+0x18c/0x1610 mm/gup.c:651  
follow\_pmd\_mask mm/gup.c:727 \[inline\]  
follow\_pud\_mask mm/gup.c:765 \[inline\]  
follow\_p4d\_mask mm/gup.c:782 \[inline\]  
follow\_page\_mask+0x2e4/0xbd0 mm/gup.c:839  
\_\_get\_user\_pages+0x3fa/0xcf0 mm/gup.c:1256  
\_\_get\_user\_pages\_locked mm/gup.c:1487 \[inline\]  
get\_user\_pages\_unlocked+0x183/0x580 mm/gup.c:2387  
hva\_to\_pfn\_slow arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2536 \[inline\]  
hva\_to\_pfn+0x198/0xbc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2674  
\_\_gfn\_to\_pfn\_memslot+0x202/0x3e0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:2736  
\_\_kvm\_faultin\_pfn arch/x86/kvm/mmu/mmu.c:4329 \[inline\]  
kvm\_faultin\_pfn+0x21b/0x12d0 arch/x86/kvm/mmu/mmu.c:4365  
kvm\_tdp\_mmu\_page\_fault arch/x86/kvm/mmu/mmu.c:4503 \[inline\]  
kvm\_tdp\_page\_fault+0x167/0x4d0 arch/x86/kvm/mmu/mmu.c:4549  
kvm\_mmu\_do\_page\_fault arch/x86/kvm/mmu/mmu\_internal.h:320 \[inline\]  
kvm\_mmu\_page\_fault+0x2f4/0x1a40 arch/x86/kvm/mmu/mmu.c:5756  
handle\_ept\_violation+0x20a/0x620 arch/x86/kvm/vmx/vmx.c:5760  
\_\_vmx\_handle\_exit arch/x86/kvm/vmx/vmx.c:6539 \[inline\]  
vmx\_handle\_exit+0x4a1/0x18d0 arch/x86/kvm/vmx/vmx.c:6556  
vcpu\_enter\_guest arch/x86/kvm/x86.c:10848 \[inline\]  
vcpu\_run+0x24b6/0x44b0 arch/x86/kvm/x86.c:10951  
kvm\_arch\_vcpu\_ioctl\_run+0x416/0x1830 arch/x86/kvm/x86.c:11172  
kvm\_vcpu\_ioctl+0x4de/0xcc0 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:4112  
vfs\_ioctl fs/ioctl.c:51 \[inline\]  
\_\_do\_sys\_ioctl fs/ioctl.c:870 \[inline\]  
\_\_se\_sys\_ioctl fs/ioctl.c:856 \[inline\]  
\_\_x64\_sys\_ioctl+0x173/0x1e0 fs/ioctl.c:856  
do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
do\_syscall\_64+0x35/0xb0 arch/x86/entry/common.c:80  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x47959d  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fc6339a4068 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d  
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006  
RBP: 000000000059c0a0 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0ac  
R13: 000000000000000b R14: 0000000000437250 R15: 00007fc633984000  
</TASK>  
Dumping ftrace buffer:  
(ftrace buffer empty)  
Kernel Offset: disabled  
Rebooting in 1 seconds..

CVE-2023-40791: LKML: Yikebaer Aizezi: WARNING in try_grab_page

** DISPUTED ** An issue was discovered in the Linux kernel through 6.5.7. kvm_arch_vcpu_ioctl_run in arch/x86/kvm/x86.c allows a WARN_ON_ONCE if userspace stuffs a nonsensical vCPU state.

Messages in this thread

*   First message in thread
*   Yikebaer Aizezi
    *   Sean Christopherson
        *   Yikebaer Aizezi

Patch in this message

*   Get diff 1

Date

Thu, 3 Aug 2023 20:46:35 +0000

Subject

Re: WARNING in kvm\_arch\_vcpu\_ioctl\_run

From

On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:  
\> Hello, I'm sorry for the mistake in my previous email. I forgot to add  
\> a subject. This is my second attempt to send the message.  
\>   
\> When using Healer to fuzz the latest Linux kernel, the following crash  
\> was triggered.  
\>   
\> HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)  
\>   
\> git tree: upstream  
\>   
\> console output:  
\> https://drive.google.com/file/d/1FiemC\_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive\_link  
\> kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive\_link  
\> C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive\_link  
\> Syzlang reproducer:  
\> https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive\_link  
\> Similar report:  
\> https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l\_dAgAJ  
\>   
\> If you fix this issue, please add the following tag to the commit:  
\> Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>  
\>   
\> kvm: vcpu 129: requested lapic timer restore with starting count  
\> register 0x390=4241646265 (4241646265 ns) > initial count (296265111  
\> ns). Using initial count to start timer.  
\> ------------\[ cut here \]------------  
\> WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098  
\> kvm\_arch\_vcpu\_ioctl\_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098

Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put  
the guest into an uninitialized state while emulating the guest's APIC timer, but  
I completely overlooked the fact that userspace can simply stuff the should-be-  
impossible guest state. \*sigh\*

Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c  
index 0145d844283b..e9e262b244b8 100644  
\--- a/arch/x86/kvm/x86.c  
+++ b/arch/x86/kvm/x86.c  
@@ -11091,12 +11091,17 @@ int kvm\_arch\_vcpu\_ioctl\_run(struct kvm\_vcpu \*vcpu)  
                        r = -EINTR;  
                        goto out;  
                }  
+  
                /\*  
\-                \* It should be impossible for the hypervisor timer to be in  
\-                \* use before KVM has ever run the vCPU.  
\+                \* Don't bother switching APIC timer emulation from the  
\+                \* hypervisor timer to the software timer, the only way for the  
\+                \* APIC timer to be active is if userspace stuffed vCPU state,  
\+                \* i.e. put the vCPU and into a nonsensical state.  The only  
\+                \* transition out of UNINITIALIZED (without more state stuffing  
\+                \* from userspace) is an INIT, which will reset the local APIC  
\+                \* and thus smother the timer anyways, i.e. APIC timer IRQs  
\+                \* will be dropped no matter what.  
                 \*/  
\-               WARN\_ON\_ONCE(kvm\_lapic\_hv\_timer\_in\_use(vcpu));  
\-  
                kvm\_vcpu\_srcu\_read\_unlock(vcpu);  
                kvm\_vcpu\_block(vcpu);  
                kvm\_vcpu\_srcu\_read\_lock(vcpu);

CVE-2023-40790: LKML: Sean Christopherson: Re: WARNING in kvm_arch_vcpu_ioctl_run

IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could allow a local user to escalate their privileges to root access on a restricted shell.  IBM X-Force ID:  260740.

CVE-2023-38280: IBM Power HMC privilege escalation CVE-2023-38280 Vulnerability Report

 SQL Injection in GitHub repository librenms/librenms prior to 23.10.0.

Expand Up @@ -37,7 +37,8 @@ } } elseif ($vars\['search\_type'\] == 'mac') { $sql = ' FROM \`ports\` AS I, \`devices\` AS D'; $sql .= " WHERE I.device\_id = D.device\_id AND \`ifPhysAddress\` LIKE '%" . trim(str\_replace(\[':', ' ', '-', '.', '0x'\], '', $vars\['address'\])) . "%' $where "; $sql .= " WHERE I.device\_id = D.device\_id AND \`ifPhysAddress\` LIKE ? $where "; $param\[\] = '%' . trim(str\_replace(\[':', ' ', '-', '.', '0x'\], '', $vars\['address'\])) . '%'; }//end if if (is\_numeric($vars\['device\_id'\])) { $sql .= ' AND I.device\_id = ?'; Expand Down

CVE-2023-5591: Fix MAC search sql injection (#15402) · librenms/librenms@908aef6

Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability.  A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system.  IBM X-Force ID:  263583.

CVE-2023-40377: IBM i privilege escalation CVE-2023-40377 Vulnerability Report

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.  IBM X-Force ID:  256016.

CVE-2023-33836

IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation.  IBM X-Force ID:  259382.

  

**Summary**

IBM Security Verify Governance - Identity Manager (Virtual Appliance) is vulnerable to arbitrary file upload, escalation of privileges, and sensitive information leak. These issues have been addressed in this update.

**Vulnerability Details**

**CVEID:**   CVE-2023-35903  
**DESCRIPTION:**   IBM Security Verify Governance could allow a privileged use to upload arbitrary files due to improper file validation.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259382 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L)

**CVEID:**   CVE-2023-35018  
**DESCRIPTION:**   IBM Security Verify Governance, Identity Manager could allow a local user to escalate their privileges due to improper access controls.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257779 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-35013  
**DESCRIPTION:**   IBM Security Verify Governance, Identity Manager could allow a local privileged user to obtain sensitive information from source code.  
CVSS Base score: 2.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257769 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**   220945  
**DESCRIPTION:**   Node.js utile module could allow a remote attacker to obtain sensitive information, caused by an uninitialized buffer allocation issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from uninitialized memory or to cause a denial of service condition.  
CVSS Base score: 9.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220945 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Verify Governance  -  
Identity Manager virtual appliance component

All prior to 10.0.2 Fixpack 0

**Remediation/Fixes**

**IBM recommends customers update their systems promptly by downloading the following release:**

**Affected Product(s)**

**Version(s)**

**Fix Availability**

IBM Security Verify Governance -  
Identity Manager virtual appliance component

10.0.2

10.0.2.0-ISS-ISVG-IMVA-FP0000

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, Ben Goodspeed, Dawid Bak, and Marcin Bortkiewicz from the IBM Security Ethical Hacking Team.

**Change History**

11 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBM27","label":"IBM Security Verify Governance"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-35018: Security Bulletin: IBM Security Verify Governance

A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.7 allows remote attackers to inject JavaScript into any webpage, because a regular expression (validating whether a URL is controlled by ClassLink) is not present in all applicable places.

This is the story of how I found a universal cross-site scripting vector in a browser extension used by over 10 million users.

**Introduction**

I could immediately tell I would find something as soon as my school rolled out the extension, and once I saw the permissions it requested, I knew I would find something _extra_ spicy.

the inability to disable the extension and high privileges were motivating factors in this research

**What Is This Extension?**

This extension is designed to work in tandem with ClassLink LaunchPad which enables a student to select and automatically sign into educational websites. School IT staff load their students' credentials into LaunchPad's admin console; later, when a student clicks a website on LaunchPad, it sends their credentials to the extension which signs them in.

**Suspicious Function**

While Scrolling through a pretty-printed version of injected.js, part of the code immediately attracted my attention.

**Confusion**

Why would this extension need to inject scripts into the DOM? It turns out that this is actually the primary pattern behind the whole extension. There is a bit of JavaScript for each website they integrate with that is responsible for logging a user in. ClassLink LaunchPad connects to over 6,000 websites, so I can understand why the flexibility of running unique JavaScript for each site becomes appealing.

**How Can We Exploit This?**

It would be possible to exploit the e function if we can control appResponse.pre_auth_script and the window location. This would enable an attacker to inject any script into any page, in other words, universal cross-site scripting.

**Backtracking**

Following the code backwards, I found that the e function is called from an event listener.

At first this looks trivially exploitable by sending a handle-sso message from a webpage. Unfortunately for an attacker, chrome.runtime.onMessage has protections against this. Here is a section from Message Passing (Chrome Developers).

In order to send a message to this listener, the extension would need to have an attacker-controlled domain in their manifest.json, which effectively closes off this route of exploitation.

**Sending "handle-sso"**

Because externally_connectable is not in manifest.json, we know that handle-sso messages can be only be sent from background.js. Searching for handle-sso in background.js yields this event listener:

A handle-sso message is sent when a new tab is opened, but the listener is created only after background.js receives an initiate-sso message. This message is sent by the following function in injected.js:

This s function takes in a parameter that's passed into the initiate-sso message, so calling s with user-controlled data is equivalent to universal cross-site scripting.

s is called here, but it's behind a regex that validates if the URL is controlled by ClassLink. However, this is not the only place that calls s…

**The Fundamental Flaw**

The s function is also called here:

For whatever reason, there existed a mostly copied and pasted version of the previous code snippet which omits the regex check. This code registers click handler, but only for elements with two magic classes: bg-info and js-uc.

The failure to run the regex in this case is the root cause of this vulnerability. Putting carefully crafted data into the head of the document will allow us to control the parameters of s and, by proxy, get universal cross-site scripting.

**Creating a Proof of Concept**

Here is the code for a proof of concept:

    <html>
    	<head>
    		<title>ClassLink OneClick UXSS</title>
    		<script>
    			//appResponse: JSON.parse('{"userauth": [""], "pre_auth_script": "alert(window.location)"}'),
    			//gwstokenMd5:{}
    
    			setTimeout(function() {
    				const button = document.getElementById("button");
    
    				button.click();
    				window.location.href = "https://example.com";
    			}, 200);
    		</script>
    	</head>
    	<body>
    		<button id="button" class="bg-info js-uc" data-index="0">button of doom</button>
    	</body>
    </html>
    

In the body, there's a button with the two magic classes the click handler checks. The button also has data-index="0" and appResponse has userauth set as [""] to prevent an out of bounds array index. The pre_auth_script property of appResponse functions as the payload.

**Reporting**

I was initially frustrated by the lack of official avenue to report vulnerabilities. I reported this vulnerability through the help desk, which made me a bit anxious me due to the possibility that details of my report could be intercepted by a third party. I advise that ClassLink adopts RFC 9116 (security.txt) to make it more clear to researchers where and how they should report vulnerabilities in the future.

**Timeline**

*   September 15th, 2022: vulnerability reported to ClassLink.
*   September 19th, 2022: I received an acknowledgement from ClassLink.
*   October 25th, 2022: I inquired about the status of a fix.
*   November 8th, 2022: I received notice that a patch would roll out on December 1st.
*   December 1st, 2022: The vulnerability was patched.

**Acknowledging Previous Research**

I stumbled upon research done in 2018 that was published on the Full Disclosure mailing list. They made eerily similar findings to me. The research from 2018 exploits the same function which injects scripts into the DOM, but with a different way of triggering it. I assume this research is responsible for the implementation of the URL regex check mentioned earlier in the article.

**Analysis of The Patch**

The patch adds the regex guard to the s function. I tested my proof of concept code against the latest version and confirmed that it is sufficient to prevent exploitation.

CVE-2022-48612: James Connolly's Blog

IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code.  IBM X-Force ID:  257769.

Source

CVE