In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix a refcount bug in qrtr_recvmsg() Syzbot reported a bug as following: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace: <TASK> __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1038 qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 worker_thread+0x669/0x1090 kernel/workqueue.c:2537 It occurs in the concurrent scenario of qrtr_recvmsg() and qrtr_endpoint_unregister() as following: cpu0 cpu1 qrtr_recvmsg qrtr_endpoint_unregister qrtr_send_resume_tx qrtr_node_release qrtr_node_lookup mutex_lock(&qrtr_node_lock) spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] radix_tree_lookup [node != NULL] __qrtr_node_release qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) kref_get(&node->ref) [WARNING] ... mutex_unlock(&qrtr_node_lock) Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this is actually improving the protection of node reference.
A critical vulnerability exists in the Linux kernel's QRTR subsystem, allowing for a use-after-free condition. This flaw can lead to system instability, denial-of-service (DoS), or potentially arbitrary code execution due to improper reference counting in concurrent operations. Successful exploitation could compromise the confidentiality, integrity, and availability of affected systems.
Step 1: Concurrent Operations: The attack requires two threads/processes to run concurrently. One thread executes qrtr_recvmsg() and the other executes qrtr_endpoint_unregister().
Step 2: Node Lookup: qrtr_recvmsg() calls qrtr_node_lookup() to find a QRTR node.
Step 3: Unregistering the Node: qrtr_endpoint_unregister() is triggered, potentially freeing the node.
Step 4: Race Condition: The qrtr_node_lookup() function in qrtr_recvmsg() finds the node before it is freed, but the node is freed before qrtr_recvmsg() can acquire a reference to it.
Step 5: Reference Acquisition: qrtr_recvmsg() attempts to increment the reference count of the freed node using kref_get().
Step 6: Use-After-Free: The attempt to increment the reference count on the freed memory triggers the use-after-free vulnerability, leading to a crash or potential for exploitation.
The vulnerability stems from a race condition within the qrtr_recvmsg() and qrtr_endpoint_unregister() functions of the Linux kernel's QRTR (Qualcomm Remote Transport) subsystem. The core issue lies in the incorrect handling of reference counts for QRTR nodes. Specifically, when qrtr_recvmsg() attempts to acquire a reference to a node while qrtr_endpoint_unregister() is concurrently releasing the same node, a use-after-free condition can occur. The qrtr_node_lookup() function, called by qrtr_recvmsg(), can access a freed node if the node is unregistered between the lookup and the reference acquisition. The fix involves using qrtr_node_lock to protect the qrtr_node_lookup() implementation, which improves the protection of node references. The root cause is a lack of proper synchronization and atomic operations to manage the node's lifecycle, leading to a potential for accessing freed memory. The kref_get function is called on a freed object, leading to the crash.