[SRU][CVE-2021-3348][G/B][PATCH 0/1] nbd: freeze the queue while we're adding connections

William Breathitt Gray william.gray at canonical.com
Thu Mar 4 14:01:38 UTC 2021 

SRU Justification
=================

[Impact]

nbd_add_socket in drivers/block/nbd.c in the Linux kernel through
5.10.12 has an ndb_queue_rq use-after-free that could be triggered by
local attackers (with access to the nbd device) via an I/O request at a
certain point during device setup, aka CID-b98e762e3d71.

[Fix]

When setting up a device, we can krealloc the config->socks array to add
new sockets to the configuration.  However if we happen to get a IO
request in at this point even though we aren't setup we could hit a UAF,
as we deref config->socks without any locking, assuming that the
configuration was setup already and that ->socks is safe to access it as
we have a reference on the configuration.

But there's nothing really preventing IO from occurring at this point of
the device setup, we don't want to incur the overhead of a lock to
access ->socks when it will never change while the device is running.
To fix this UAF scenario simply freeze the queue if we are adding
sockets.  This will protect us from this particular case without adding
any additional overhead for the normal running case

[Testing]

A privileged user can trigger this race condition by attempting to
change the block size while adding a new socket at the same time. This
can be accomplished by executing the NDB_SET_SIZE_BLOCKS ioctl and
NDB_SET_SOCK ioctl together: NBD_SET_SIZE_BLOCKS ioctl will call
nbd_size_set(), it will change the block size; NBD_SET_SOCK ioctl will
call nbd_add_socket() and it will invoke krealloc() to update a block,
free and realloc a new one, but nbd_queue_rq() is in runtime and calls
nbd_handle_cmd(), there will use config->sock and there accesses to
config->socks without any locking.

[Where problems could occur]

This fix only touches the nbd_add_socket() function. It freezes the
queue for the reallocation of the ->socks array. If a problem occurs, it
will likely manifest as a frozen queue that persists after a
reallocation of the socks array such as when adding new sockets to the
configuration.

[Miscellaneous]

Focal already has the fix pending. The remaining main kernels are Groovy
and Bionic, which this patchset adds the fixes with a cherry pick and
backport respectively.

Josef Bacik (1):
  nbd: freeze the queue while we're adding connections

 drivers/block/nbd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.27.0

More information about the kernel-team mailing list