ACK: [SRU][CVE-2021-3348][G/B][PATCH 0/1] nbd: freeze the queue while we're adding connections

Tim Gardner tim.gardner at canonical.com
Fri Mar 5 12:42:05 UTC 2021 

Acked-by: Tim Gardner <tim.gardner at canonical.com>

On 3/4/21 7:01 AM, William Breathitt Gray wrote:
> SRU Justification
> =================
> 
> [Impact]
> 
> nbd_add_socket in drivers/block/nbd.c in the Linux kernel through
> 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by
> local attackers (with access to the nbd device) via an I/O request at a
> certain point during device setup, aka CID-b98e762e3d71.
> 
> [Fix]
> 
> When setting up a device, we can krealloc the config->socks array to add
> new sockets to the configuration.  However if we happen to get a IO
> request in at this point even though we aren't setup we could hit a UAF,
> as we deref config->socks without any locking, assuming that the
> configuration was setup already and that ->socks is safe to access it as
> we have a reference on the configuration.
> 
> But there's nothing really preventing IO from occurring at this point of
> the device setup, we don't want to incur the overhead of a lock to
> access ->socks when it will never change while the device is running.
> To fix this UAF scenario simply freeze the queue if we are adding
> sockets.  This will protect us from this particular case without adding
> any additional overhead for the normal running case
> 
> [Testing]
> 
> A privileged user can trigger this race condition by attempting to
> change the block size while adding a new socket at the same time. This
> can be accomplished by executing the NDB_SET_SIZE_BLOCKS ioctl and
> NDB_SET_SOCK ioctl together: NBD_SET_SIZE_BLOCKS ioctl will call
> nbd_size_set(), it will change the block size; NBD_SET_SOCK ioctl will
> call nbd_add_socket() and it will invoke krealloc() to update a block,
> free and realloc a new one, but nbd_queue_rq() is in runtime and calls
> nbd_handle_cmd(), there will use config->sock and there accesses to
> config->socks without any locking.
> 
> [Where problems could occur]
> 
> This fix only touches the nbd_add_socket() function. It freezes the
> queue for the reallocation of the ->socks array. If a problem occurs, it
> will likely manifest as a frozen queue that persists after a
> reallocation of the socks array such as when adding new sockets to the
> configuration.
> 
> [Miscellaneous]
> 
> Focal already has the fix pending. The remaining main kernels are Groovy
> and Bionic, which this patchset adds the fixes with a cherry pick and
> backport respectively.
> 
> Josef Bacik (1):
>    nbd: freeze the queue while we're adding connections
> 
>   drivers/block/nbd.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 

-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list