SSD Advisory – Infiniband Linux Driver UAF

Vulnerability Summary
A bug in the threads synchronization of Infiniband Driver can cause an Use After Free. A struct that is allocated and free’d by a thread, is accessible through a second thread. If the second thread is calling the function “idr_find” before the struct was free’d by the first thread, then he can still use the struct after it was free’d.

Vendor Response
“Infiniband: fix a possible use-after-free bug has been added to the 4.17-stable tree. Patches currently in stable-queue are queue-4.17/infiniband-fix-a-possible-use-after-free-bug.patch”

CVE
CVE-2018-14737

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Linux systems that contains the Infiniband Driver running Kernel version older than 4.17 (The version that the patch was issued into).

Vulnerability Details
The function ucma_process_join() free’s the new allocated “mc” struct, if there is any error after that.

However, in the same time, ucma_leave_multicast() function that is called by a second thread could find this “mc” through idr_find() before ucma_process_join() frees it, since it is already allocated.

So “mc” is used in ucma_leave_multicast() after it is been allocated and freed in ucma_process_join().

Exploit

Crash info

Patch

 



*** This is a Security Bloggers Network syndicated blog from SecuriTeam Blogs authored by SSD / Ori Nimron. Read the original post at: https://blogs.securiteam.com/index.php/archives/3727