ASA-2018-00091 – Linux kernel: Use-after-free in svc_process_common()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00091

Identifier(s)

ASA-2018-00091, CVE-2018-16884

Title

Use-after-free in svc_process_common()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20.3
Linux kernel versions before 4.14.94
Linux kernel versions before 4.9.151
Linux kernel versions before 4.4.171
Linux kernel versions before 3.18.133
Linux kernel versions before 3.16.64

Fixed version(s)

Linux kernel version 4.20.3
Linux kernel version 4.14.94
Linux kernel version 4.9.151
Linux kernel version 4.4.171
Linux kernel version 3.18.133
Linux kernel version 3.16.64

Proof of concept

Unknown

Description

A flaw was found in the Linux kernel in the NFS4 subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause an use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Technical details

If node have NFSv41+ mounts inside several net namespaces, it can lead to use-after-free in svc_process_common().

svc_process_common()
/* Setup reply header */
rqstp->rq_xprt->xpt_ops->xpo_prep_reply_hdr(rqstp); <<< HERE

svc_process_common() can use already freed rqstp->rq_xprt, it was assigned in bc_svc_process() where it was taken from serv->sv_bc_xprt.

serv is global structure but sv_bc_xprt is assigned per-netnamespace, so if nfsv41+ shares are mounted in several containers together bc_svc_process() can use wrong backchannel or even access freed memory.

Credits

Vasily Averin (Virtuozzo) and Evgenii Shatokhin (Virtuozzo)

Reference(s)

CVE-2018-16884: Linux kernel: nfs: use-after-free in svc_process_common()
https://seclists.org/oss-sec/2018/q4/267

sunrpc: use-after-free in svc_process_common()
https://github.com/torvalds/linux/commit/d4b09acf924b84bae77cad090a9d108e70b43643

NFS: callback up – users counting cleanup
https://github.com/torvalds/linux/commit/23c20ecd44750dd42e5fd53285a17ca8d8a9b0a3

Linux kernel 4.20.3
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.3

Linux kernel 4.14.94
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.94

Linux kernel 4.9.151
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.151

Linux kernel 4.4.171
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.171

Linux kernel 3.18.133
https://cdn.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.18.133

Linux kernel 3.16.64
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.64

CVE-2018-16884 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-16884

CVE-2018-16884 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16884.html

CVE-2018-16884
https://security-tracker.debian.org/tracker/CVE-2018-16884

CVE-2018-16884 | SUSE
https://www.suse.com/security/cve/CVE-2018-16884

CVE-2018-16884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16884

CVE-2018-16884
https://nvd.nist.gov/vuln/detail/CVE-2018-16884

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.