diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 16:24:45 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 16:24:45 +0100 |
| commit | dd5543ae4acd5b4bd411f501b19e97283df82c9a (patch) | |
| tree | 152af39c96c5e0a479f4893d5955217589f2bad1 | |
| parent | e00759a4419872b1103d5450e63d9050fa88a5d8 (diff) | |
| download | vulns-dd5543ae4acd5b4bd411f501b19e97283df82c9a.tar.gz | |
cve: some more test cves
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | cve/published/2023/CVE-2023-21660 (renamed from cve/reserved/2023/CVE-2023-21660) | 0 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21660.json | 84 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21660.mbox | 60 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21660.sha1 | 1 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21661 (renamed from cve/reserved/2023/CVE-2023-21661) | 0 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21661.json | 129 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21661.mbox | 109 | ||||
| -rw-r--r-- | cve/published/2023/CVE-2023-21661.sha1 | 1 |
8 files changed, 384 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-21660 b/cve/published/2023/CVE-2023-21660 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-21660 +++ b/cve/published/2023/CVE-2023-21660 diff --git a/cve/published/2023/CVE-2023-21660.json b/cve/published/2023/CVE-2023-21660.json new file mode 100644 index 00000000..019b5871 --- /dev/null +++ b/cve/published/2023/CVE-2023-21660.json @@ -0,0 +1,84 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "fbdev: flush deferred IO before closing\n\nWhen framebuffer gets closed, the queued deferred IO gets cancelled. This\ncan cause some last display data to vanish. This is problematic for users\nwho send a still image to the framebuffer, then close the file: the image\nmay never appear.\n\nTo ensure none of display data get lost, flush the queued deferred IO\nfirst before closing.\n\nAnother possible solution is to delete the cancel_delayed_work_sync()\ninstead. The difference is that the display may appear some time after\nclosing. However, the clearing of page mapping after this needs to be\nremoved too, because the page mapping is used by the deferred work. It is\nnot completely obvious whether it is okay to not clear the page mapping.\nFor a patch intended for stable trees, go with the simple and obvious\nsolution." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "versions": [ + { + "version": "2.6.22", + "lessThan": "6.1.75", + "status": "affected", + "versionType": "custom" + }, + { + "version": "2.6.22", + "lessThan": "6.6.14", + "status": "affected", + "versionType": "custom" + }, + { + "version": "2.6.22", + "lessThan": "6.7.2", + "status": "affected", + "versionType": "custom" + }, + { + "version": "60b59beafba8", + "lessThan": "81f444f22816", + "status": "affected", + "versionType": "git" + }, + { + "version": "60b59beafba8", + "lessThan": "2db6388d8a7f", + "status": "affected", + "versionType": "git" + }, + { + "version": "60b59beafba8", + "lessThan": "21ba4f2543bd", + "status": "affected", + "versionType": "git" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/linux/c/81f444f22816" + }, + { + "url": "https://git.kernel.org/stable/linux/c/2db6388d8a7f" + }, + { + "url": "https://git.kernel.org/stable/linux/c/21ba4f2543bd" + } + ], + "title": "fbdev: flush deferred IO before closing", + "x_generator": { + "engine": "bippy-a94c04b18a2f" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-21660", + "requesterUserId": "gregkh@linuxfoundation.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-21660.mbox b/cve/published/2023/CVE-2023-21660.mbox new file mode 100644 index 00000000..ddf7899c --- /dev/null +++ b/cve/published/2023/CVE-2023-21660.mbox @@ -0,0 +1,60 @@ +From bippy-a94c04b18a2f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org> +Subject: CVE-2023-21660: fbdev: flush deferred IO before closing + +Description +=========== + +fbdev: flush deferred IO before closing + +When framebuffer gets closed, the queued deferred IO gets cancelled. This +can cause some last display data to vanish. This is problematic for users +who send a still image to the framebuffer, then close the file: the image +may never appear. + +To ensure none of display data get lost, flush the queued deferred IO +first before closing. + +Another possible solution is to delete the cancel_delayed_work_sync() +instead. The difference is that the display may appear some time after +closing. However, the clearing of page mapping after this needs to be +removed too, because the page mapping is used by the deferred work. It is +not completely obvious whether it is okay to not clear the page mapping. +For a patch intended for stable trees, go with the simple and obvious +solution. + +The Linux kernel CVE team has assigned CVE-2023-21660 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.22 with commit 60b59beafba8 and fixed in 6.1.75 with commit 81f444f22816 + Issue introduced in 2.6.22 with commit 60b59beafba8 and fixed in 6.6.14 with commit 2db6388d8a7f + Issue introduced in 2.6.22 with commit 60b59beafba8 and fixed in 6.7.2 with commit 21ba4f2543bd + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-21660 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/linux/c/81f444f22816 + https://git.kernel.org/stable/linux/c/2db6388d8a7f + https://git.kernel.org/stable/linux/c/21ba4f2543bd diff --git a/cve/published/2023/CVE-2023-21660.sha1 b/cve/published/2023/CVE-2023-21660.sha1 new file mode 100644 index 00000000..84fee75b --- /dev/null +++ b/cve/published/2023/CVE-2023-21660.sha1 @@ -0,0 +1 @@ +33cd6ea9c0673517cdb06ad5c915c6f22e9615fc diff --git a/cve/reserved/2023/CVE-2023-21661 b/cve/published/2023/CVE-2023-21661 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-21661 +++ b/cve/published/2023/CVE-2023-21661 diff --git a/cve/published/2023/CVE-2023-21661.json b/cve/published/2023/CVE-2023-21661.json new file mode 100644 index 00000000..179a17a1 --- /dev/null +++ b/cve/published/2023/CVE-2023-21661.json @@ -0,0 +1,129 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "binder: fix use-after-free in shinker's callback\n\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "versions": [ + { + "version": "4.20", + "lessThan": "5.4.268", + "status": "affected", + "versionType": "custom" + }, + { + "version": "4.20", + "lessThan": "5.10.209", + "status": "affected", + "versionType": "custom" + }, + { + "version": "4.20", + "lessThan": "5.15.148", + "status": "affected", + "versionType": "custom" + }, + { + "version": "4.20", + "lessThan": "6.1.74", + "status": "affected", + "versionType": "custom" + }, + { + "version": "4.20", + "lessThan": "6.6.13", + "status": "affected", + "versionType": "custom" + }, + { + "version": "4.20", + "lessThan": "6.7.1", + "status": "affected", + "versionType": "custom" + }, + { + "version": "dd2283f2605e", + "lessThan": "a53e15e592b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "dd2283f2605e", + "lessThan": "c8c1158ffb00", + "status": "affected", + "versionType": "git" + }, + { + "version": "dd2283f2605e", + "lessThan": "8ad4d580e8af", + "status": "affected", + "versionType": "git" + }, + { + "version": "dd2283f2605e", + "lessThan": "9fa04c93f241", + "status": "affected", + "versionType": "git" + }, + { + "version": "dd2283f2605e", + "lessThan": "a49087ab9350", + "status": "affected", + "versionType": "git" + }, + { + "version": "dd2283f2605e", + "lessThan": "e074686e993f", + "status": "affected", + "versionType": "git" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/linux/c/a53e15e592b4" + }, + { + "url": "https://git.kernel.org/stable/linux/c/c8c1158ffb00" + }, + { + "url": "https://git.kernel.org/stable/linux/c/8ad4d580e8af" + }, + { + "url": "https://git.kernel.org/stable/linux/c/9fa04c93f241" + }, + { + "url": "https://git.kernel.org/stable/linux/c/a49087ab9350" + }, + { + "url": "https://git.kernel.org/stable/linux/c/e074686e993f" + } + ], + "title": "binder: fix use-after-free in shinker's callback", + "x_generator": { + "engine": "bippy-a94c04b18a2f" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-21661", + "requesterUserId": "gregkh@linuxfoundation.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-21661.mbox b/cve/published/2023/CVE-2023-21661.mbox new file mode 100644 index 00000000..a7e196a6 --- /dev/null +++ b/cve/published/2023/CVE-2023-21661.mbox @@ -0,0 +1,109 @@ +From bippy-a94c04b18a2f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org> +Subject: CVE-2023-21661: binder: fix use-after-free in shinker's callback + +Description +=========== + +binder: fix use-after-free in shinker's callback + +The mmap read lock is used during the shrinker's callback, which means +that using alloc->vma pointer isn't safe as it can race with munmap(). +As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in +munmap") the mmap lock is downgraded after the vma has been isolated. + +I was able to reproduce this issue by manually adding some delays and +triggering page reclaiming through the shrinker's debug sysfs. The +following KASAN report confirms the UAF: + + ================================================================== + BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 + Read of size 8 at addr ffff356ed50e50f0 by task bash/478 + + CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 + Hardware name: linux,dummy-virt (DT) + Call trace: + zap_page_range_single+0x470/0x4b8 + binder_alloc_free_page+0x608/0xadc + __list_lru_walk_one+0x130/0x3b0 + list_lru_walk_node+0xc4/0x22c + binder_shrink_scan+0x108/0x1dc + shrinker_debugfs_scan_write+0x2b4/0x500 + full_proxy_write+0xd4/0x140 + vfs_write+0x1ac/0x758 + ksys_write+0xf0/0x1dc + __arm64_sys_write+0x6c/0x9c + + Allocated by task 492: + kmem_cache_alloc+0x130/0x368 + vm_area_alloc+0x2c/0x190 + mmap_region+0x258/0x18bc + do_mmap+0x694/0xa60 + vm_mmap_pgoff+0x170/0x29c + ksys_mmap_pgoff+0x290/0x3a0 + __arm64_sys_mmap+0xcc/0x144 + + Freed by task 491: + kmem_cache_free+0x17c/0x3c8 + vm_area_free_rcu_cb+0x74/0x98 + rcu_core+0xa38/0x26d4 + rcu_core_si+0x10/0x1c + __do_softirq+0x2fc/0xd24 + + Last potentially related work creation: + __call_rcu_common.constprop.0+0x6c/0xba0 + call_rcu+0x10/0x1c + vm_area_free+0x18/0x24 + remove_vma+0xe4/0x118 + do_vmi_align_munmap.isra.0+0x718/0xb5c + do_vmi_munmap+0xdc/0x1fc + __vm_munmap+0x10c/0x278 + __arm64_sys_munmap+0x58/0x7c + +Fix this issue by performing instead a vma_lookup() which will fail to +find the vma that was isolated before the mmap lock downgrade. Note that +this option has better performance than upgrading to a mmap write lock +which would increase contention. Plus, mmap_write_trylock() has been +recently removed anyway. + +The Linux kernel CVE team has assigned CVE-2023-21661 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 5.4.268 with commit a53e15e592b4 + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 5.10.209 with commit c8c1158ffb00 + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 5.15.148 with commit 8ad4d580e8af + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 6.1.74 with commit 9fa04c93f241 + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 6.6.13 with commit a49087ab9350 + Issue introduced in 4.20 with commit dd2283f2605e and fixed in 6.7.1 with commit e074686e993f + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-21661 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/linux/c/a53e15e592b4 + https://git.kernel.org/stable/linux/c/c8c1158ffb00 + https://git.kernel.org/stable/linux/c/8ad4d580e8af + https://git.kernel.org/stable/linux/c/9fa04c93f241 + https://git.kernel.org/stable/linux/c/a49087ab9350 + https://git.kernel.org/stable/linux/c/e074686e993f diff --git a/cve/published/2023/CVE-2023-21661.sha1 b/cve/published/2023/CVE-2023-21661.sha1 new file mode 100644 index 00000000..33d6b802 --- /dev/null +++ b/cve/published/2023/CVE-2023-21661.sha1 @@ -0,0 +1 @@ +3f489c2067c5824528212b0fc18b28d51332d906 |