Allele Security Intelligence - ASA-2020-00050 – Linux kernel: Use-after-free vulnerability in cgroup BPF component

Allele Security Alert

ASA-2020-00050

Identifier(s)

ASA-2020-00050, CVE-2020-25220

Title

Use-after-free vulnerability in cgroup BPF component

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions 4.19.x before 4.19.140
Linux kernel versions 4.14.x before 4.14.194
Linux kernel versions 4.9.x before 4.9.233

Fixed version(s)

Linux kernel version 4.19.140
Linux kernel version 4.14.194
Linux kernel version 4.9.233

Linux kernel versions since the following commit:

cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3b1d647251a94a6968a35e3d685dc8b1b24c3ff

Proof of concept

Unknown

Description

The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch.

Technical details

Part of the original fix is the following code:

+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+   if (skcd->val) {
+       if (skcd->no_refcnt)
+           return;
+       /*
+        * We might be cloning a socket which is left in an empty
+        * cgroup and the cgroup might have already been rmdir'd.
+        * Don't use cgroup_get_live().
+        */
+       cgroup_get(sock_cgroup_ptr(skcd));
+       cgroup_bpf_get(sock_cgroup_ptr(skcd));
+   }
+}

However, backported patch has the following logic:

+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+   /* Socket clone path */
+   if (skcd->val) {
+       /*
+        * We might be cloning a socket which is left in an empty
+        * cgroup and the cgroup might have already been rmdir'd.
+        * Don't use cgroup_get_live().
+        */
+       cgroup_get(sock_cgroup_ptr(skcd));
+   }
+}

There is a missing check:

+       if (skcd->no_refcnt)
+           return;

Credits

Adam Zabrocki and Brad Spengler

Reference(s)

The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)
http://blog.pi3.com.pl/?p=720

cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3b1d647251a94a6968a35e3d685dc8b1b24c3ff

cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
https://github.com/torvalds/linux/commit/f3b1d647251a94a6968a35e3d685dc8b1b24c3ff

cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad0f75e5f57ccbceec13274e1e242f2b5a6397ed

cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
https://github.com/torvalds/linux/commit/ad0f75e5f57ccbceec13274e1e242f2b5a6397ed

netprio_cgroup: Fix unlimited memory leak of v2 cgroups
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=090e28b229af92dc5b40786ca673999d59e73056

netprio_cgroup: Fix unlimited memory leak of v2 cgroups
https://github.com/torvalds/linux/commit/090e28b229af92dc5b40786ca673999d59e73056

cgroup: duplicate cgroup reference when cloning sockets
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d979a39d7242e0601bf9b60e89628fb8ac577179

cgroup: duplicate cgroup reference when cloning sockets
https://github.com/torvalds/linux/commit/d979a39d7242e0601bf9b60e89628fb8ac577179

sock, cgroup: add sock->sk_cgroup
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d67128bb8fbe2e1384c518912cbe54e7

sock, cgroup: add sock->sk_cgroup
https://github.com/torvalds/linux/commit/bd1060a1d67128bb8fbe2e1384c518912cbe54e7

Linux 4.19.140
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.140

Linux 4.9.233
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.233

Linux 4.14.194
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.194

CVE-2020-25220 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2020-25220

CVE-2020-25220
https://security-tracker.debian.org/tracker/CVE-2020-25220

CVE-2020-25220 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25220.html

CVE-2020-25220 | SUSE
https://www.suse.com/security/cve/CVE-2020-25220

CVE-2020-25220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25220

CVE-2020-25220
https://nvd.nist.gov/vuln/detail/CVE-2020-25220

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 16, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

ASA-2020-00050 – Linux kernel: Use-after-free vulnerability in cgroup BPF component

Allele Security Alert

ASA-2020-00050

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Like this:

Related

Allele Security Alert

ASA-2020-00050

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

Like this:

Related