CVE-2024-56693

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> brd: defer automatic disk creation until module initialization succeeds<br /> <br /> My colleague Wupeng found the following problems during fault injection:<br /> <br /> BUG: unable to handle page fault for address: fffffbfff809d073<br /> PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.1-2.fc37 04/01/2014<br /> RIP: 0010:__asan_load8+0x4c/0xa0<br /> ...<br /> Call Trace:<br /> <br /> blkdev_put_whole+0x41/0x70<br /> bdev_release+0x1a3/0x250<br /> blkdev_release+0x11/0x20<br /> __fput+0x1d7/0x4a0<br /> task_work_run+0xfc/0x180<br /> syscall_exit_to_user_mode+0x1de/0x1f0<br /> do_syscall_64+0x6b/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> loop_init() is calling loop_add() after __register_blkdev() succeeds and<br /> is ignoring disk_add() failure from loop_add(), for loop_add() failure<br /> is not fatal and successfully created disks are already visible to<br /> bdev_open().<br /> <br /> brd_init() is currently calling brd_alloc() before __register_blkdev()<br /> succeeds and is releasing successfully created disks when brd_init()<br /> returns an error. This can cause UAF for the latter two case:<br /> <br /> case 1:<br /> T1:<br /> modprobe brd<br /> brd_init<br /> brd_alloc(0) // success<br /> add_disk<br /> disk_scan_partitions<br /> bdev_file_open_by_dev // alloc file<br /> fput // won&amp;#39;t free until back to userspace<br /> brd_alloc(1) // failed since mem alloc error inject<br /> // error path for modprobe will release code segment<br /> // back to userspace<br /> __fput<br /> blkdev_release<br /> bdev_release<br /> blkdev_put_whole<br /> bdev-&gt;bd_disk-&gt;fops-&gt;release // fops is freed now, UAF!<br /> <br /> case 2:<br /> T1: T2:<br /> modprobe brd<br /> brd_init<br /> brd_alloc(0) // success<br /> open(/dev/ram0)<br /> brd_alloc(1) // fail<br /> // error path for modprobe<br /> <br /> close(/dev/ram0)<br /> ...<br /> /* UAF! */<br /> bdev-&gt;bd_disk-&gt;fops-&gt;release<br /> <br /> Fix this problem by following what loop_init() does. Besides,<br /> reintroduce brd_devices_mutex to help serialize modifications to<br /> brd_list.