Oracle Linux: (CVE-2021-47118) ELSA-2024-3618: kernel update

Description

In the Linux kernel, the following vulnerability has been resolved:

pid: take a reference when initializing `cad_pid`

During boot, kernel_init_freeable() initializes `cad_pid` to the init

task's struct pid. Later on, we may change `cad_pid` via a sysctl, and

when this happens proc_do_cad_pid() will increment the refcount on the

new pid via get_pid(), and will decrement the refcount on the old pid

via put_pid(). As we never called get_pid() when we initialized

`cad_pid`, we decrement a reference we never incremented, can therefore

free the init task's struct pid early. As there can be dangling

references to the struct pid, we can later encounter a use-after-free

(e.g. when delivering signals).

This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to

have been around since the conversion of `cad_pid` to struct pid in

commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the

pre-KASAN stone age of v2.6.19.

Fix this by getting a reference to the init task's struct pid when we

assign it to `cad_pid`.

Full KASAN splat below.

==================================================================

BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]

BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509

Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273

CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1

Hardware name: linux,dummy-virt (DT)

Call trace:

ns_of_pid include/linux/pid.h:153 [inline]

task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509

do_notify_parent+0x308/0xe60 kernel/signal.c:1950

exit_notify kernel/exit.c:682 [inline]

do_exit+0x2334/0x2bd0 kernel/exit.c:845

do_group_exit+0x108/0x2c8 kernel/exit.c:922

get_signal+0x4e4/0x2a88 kernel/signal.c:2781

do_signal arch/arm64/kernel/signal.c:882 [inline]

do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936

work_pending+0xc/0x2dc

Allocated by task 0:

slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516

slab_alloc_node mm/slub.c:2907 [inline]

slab_alloc mm/slub.c:2915 [inline]

kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920

alloc_pid+0xdc/0xc00 kernel/pid.c:180

copy_process+0x2794/0x5e18 kernel/fork.c:2129

kernel_clone+0x194/0x13c8 kernel/fork.c:2500

kernel_thread+0xd4/0x110 kernel/fork.c:2552

rest_init+0x44/0x4a0 init/main.c:687

arch_call_rest_init+0x1c/0x28

start_kernel+0x520/0x554 init/main.c:1064

0x0

Freed by task 270:

slab_free_hook mm/slub.c:1562 [inline]

slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600

slab_free mm/slub.c:3161 [inline]

kmem_cache_free+0x224/0x8e0 mm/slub.c:3177

put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114

put_pid+0x30/0x48 kernel/pid.c:109

proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401

proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591

proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617

call_write_iter include/linux/fs.h:1977 [inline]

new_sync_write+0x3ac/0x510 fs/read_write.c:518

vfs_write fs/read_write.c:605 [inline]

vfs_write+0x9c4/0x1018 fs/read_write.c:585

ksys_write+0x124/0x240 fs/read_write.c:658

__do_sys_write fs/read_write.c:670 [inline]

__se_sys_write fs/read_write.c:667 [inline]

__arm64_sys_write+0x78/0xb0 fs/read_write.c:667

__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]

invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]

el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129

do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168

el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416

el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432

el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701

The buggy address belongs to the object at ffff23794dda0000

which belongs to the cache pid of size 224

The buggy address is located 4 bytes inside of

224-byte region [ff

---truncated---