CVE-2025-21631 - Linux Kernel Block, BFQ: Resolving waker_bfqq UAF after bfq_split_bfqq() Vulnerability

A recently resolved vulnerability in the Linux kernel (v6.6) was discovered and reported by syzkaller. The issue was a use-after-free (UAF) vulnerability affecting block and Budget Fair Queueing (BFQ) code in the kernel. More specifically, it involved an issue with the waker_bfqq function after the bfq_split_bfqq() function was called.

The vulnerability details and relevant code snippet can be found in the syzkaller report below

BUG: KASAN: slab-use-after-free in bfq_init_rq+x175d/x17a block/bfq-iosched.c:6958
Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726

CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.-g3629d1885222 #39
Call Trace:
 <TASK>
...
Allocated by task 232719:
 kasan_save_stack+x22/x50 mm/kasan/common.c:45
 kasan_set_track+x25/x30 mm/kasan/common.c:52
 __kasan_slab_alloc+x87/x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:768 [inline]
 slab_alloc_node mm/slub.c:3492 [inline]
 kmem_cache_alloc_node+x1b8/x6f mm/slub.c:3537
 bfq_get_queue+x215/x1f00 block/bfq-iosched.c:5869
 bfq_get_bfqq_handle_split+x167/x5f block/bfq-iosched.c:6776
 bfq_init_rq+x13a4/x17a block/bfq-iosched.c:6938
...
---truncated---

To better understand this issue, let's analyze the code in question

1. The waker_bfqq variable is allocated and initialized in the bfq_init_rq() function (block/bfq-iosched.c:6958). This variable is used to store a reference to a BFQ queue which is affected by the UAF vulnerability.

2. Upon further investigation, it is revealed that the issue originates from the bfq_get_bfqq_handle_split() function (block/bfq-iosched.c:6776). This function is responsible for handling the splitting of bfqq queues and can lead to the UAF vulnerability that occurs when a waker_bfqq is improperly handled after the bfq_split_bfqq() function is called.

For more information on the affected code, the original references to the issue can be found here

- Syzkaller report
- Linux kernel source code

The vulnerability was fixed by adding proper handling in the bfq_get_bfqq_handle_split() function so that the waker_bfqq is not left dangling after the bfq_split_bfqq() function call. This ensures that the UAF vulnerability is properly mitigated, and the kernel is no longer vulnerable to exploitation through this issue.

Stay tuned and keep your systems up-to-date to protect and mitigate against newly discovered vulnerabilities like this one!

Timeline

Published on: 01/19/2025 11:15:07 UTC
Last modified on: 02/10/2025 18:15:34 UTC