diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-04 10:23:56 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-04 10:23:56 +0200 |
| commit | 89030c5fcd83eeb56af69059cf8615944b327dd0 (patch) | |
| tree | 2664ecd10274161ae7a3e1a66a9113e2ebe11e85 | |
| parent | 073be213f4bd5a0634a9ce7279efd8be85219bc7 (diff) | |
| download | vulns-89030c5fcd83eeb56af69059cf8615944b327dd0.tar.gz | |
Assign CVEs to some 6.7.9 commits
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
124 files changed, 7311 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26745 b/cve/published/2024/CVE-2024-26745 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26745 +++ b/cve/published/2024/CVE-2024-26745 diff --git a/cve/published/2024/CVE-2024-26745.json b/cve/published/2024/CVE-2024-26745.json new file mode 100644 index 00000000..c6378409 --- /dev/null +++ b/cve/published/2024/CVE-2024-26745.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b1fc44eaa9ba", + "lessThan": "7eb95e0af5c9", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1fc44eaa9ba", + "lessThan": "d4d1e4b1513d", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1fc44eaa9ba", + "lessThan": "5da6d306f315", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1fc44eaa9ba", + "lessThan": "09a3c1e46142", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3" + }, + { + "url": "https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf" + }, + { + "url": "https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28" + }, + { + "url": "https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051" + } + ], + "title": "powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26745", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26745.mbox b/cve/published/2024/CVE-2024-26745.mbox new file mode 100644 index 00000000..88d27a5b --- /dev/null +++ b/cve/published/2024/CVE-2024-26745.mbox @@ -0,0 +1,148 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26745: powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV +Message-Id: <2024040454-CVE-2024-26745-fa88@gregkh> +Content-Length: 5672 +Lines: 131 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5804; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=FvoBHpT5EWQTomgcNeEmCt1WU7nsvS8EFsLCF1jHV8g=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yXHBAi/fnJeLWnZ3Q8yV1uqCffE3xXRt3sfGZdYfD + l+coH+rI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZyfAPDgmOXtimsdXDIEjtn + 8Uxzrspx94lN7xgWHJ20YfcD/nusWVcP/V91Y6Xc6jdT/gAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV + +When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due +to NULL pointer exception: + + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc000000020847ad4 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop + CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12 + Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries + NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c + REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+) + MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008 + CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1 + ... + NIP _find_next_zero_bit+0x24/0x110 + LR bitmap_find_next_zero_area_off+0x5c/0xe0 + Call Trace: + dev_printk_emit+0x38/0x48 (unreliable) + iommu_area_alloc+0xc4/0x180 + iommu_range_alloc+0x1e8/0x580 + iommu_alloc+0x60/0x130 + iommu_alloc_coherent+0x158/0x2b0 + dma_iommu_alloc_coherent+0x3c/0x50 + dma_alloc_attrs+0x170/0x1f0 + mlx5_cmd_init+0xc0/0x760 [mlx5_core] + mlx5_function_setup+0xf0/0x510 [mlx5_core] + mlx5_init_one+0x84/0x210 [mlx5_core] + probe_one+0x118/0x2c0 [mlx5_core] + local_pci_probe+0x68/0x110 + pci_call_probe+0x68/0x200 + pci_device_probe+0xbc/0x1a0 + really_probe+0x104/0x540 + __driver_probe_device+0xb4/0x230 + driver_probe_device+0x54/0x130 + __driver_attach+0x158/0x2b0 + bus_for_each_dev+0xa8/0x130 + driver_attach+0x34/0x50 + bus_add_driver+0x16c/0x300 + driver_register+0xa4/0x1b0 + __pci_register_driver+0x68/0x80 + mlx5_init+0xb8/0x100 [mlx5_core] + do_one_initcall+0x60/0x300 + do_init_module+0x7c/0x2b0 + +At the time of LPAR dump, before kexec hands over control to kdump +kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT. +For the SR-IOV case, default DMA window "ibm,dma-window" is removed from +the FDT and DDW added, for the device. + +Now, kexec hands over control to the kdump kernel. + +When the kdump kernel initializes, PCI busses are scanned and IOMMU +group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV +case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba, +fixes the path where memory is pre-mapped (direct mapped) to the DDW. +When TCEs are direct mapped, there is no need to initialize IOMMU +tables. + +iommu_table_setparms_lpar() only considers "ibm,dma-window" property +when initiallizing IOMMU table. In the scenario where TCEs are +dynamically allocated for SR-IOV, newly created IOMMU table is not +initialized. Later, when the device driver tries to enter TCEs for the +SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc(). + +The fix is to initialize the IOMMU table with DDW property stored in the +FDT. There are 2 points to remember: + + 1. For the dedicated adapter, kdump kernel would encounter both + default and DDW in FDT. In this case, DDW property is used to + initialize the IOMMU table. + + 2. A DDW could be direct or dynamic mapped. kdump kernel would + initialize IOMMU table and mark the existing DDW as + "dynamic". This works fine since, at the time of table + initialization, iommu_table_clear() makes some space in the + DDW, for some predefined number of TCEs which are needed for + kdump to succeed. + +The Linux kernel CVE team has assigned CVE-2024-26745 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.0 with commit b1fc44eaa9ba and fixed in 6.1.81 with commit 7eb95e0af5c9 + Issue introduced in 6.0 with commit b1fc44eaa9ba and fixed in 6.6.21 with commit d4d1e4b1513d + Issue introduced in 6.0 with commit b1fc44eaa9ba and fixed in 6.7.9 with commit 5da6d306f315 + Issue introduced in 6.0 with commit b1fc44eaa9ba and fixed in 6.8 with commit 09a3c1e46142 + Issue introduced in 5.18.18 with commit b9f08b2649dd + Issue introduced in 5.19.2 with commit 58942f672c6d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26745 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/powerpc/platforms/pseries/iommu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3 + https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf + https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28 + https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051 diff --git a/cve/published/2024/CVE-2024-26745.sha1 b/cve/published/2024/CVE-2024-26745.sha1 new file mode 100644 index 00000000..5ec0429b --- /dev/null +++ b/cve/published/2024/CVE-2024-26745.sha1 @@ -0,0 +1 @@ +09a3c1e46142199adcee372a420b024b4fc61051 diff --git a/cve/reserved/2024/CVE-2024-26746 b/cve/published/2024/CVE-2024-26746 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26746 +++ b/cve/published/2024/CVE-2024-26746 diff --git a/cve/published/2024/CVE-2024-26746.json b/cve/published/2024/CVE-2024-26746.json new file mode 100644 index 00000000..904dace2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26746.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Ensure safe user copy of completion record\n\nIf CONFIG_HARDENED_USERCOPY is enabled, copying completion record from\nevent log cache to user triggers a kernel bug.\n\n[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!\n[ 1987.170845] ------------[ cut here ]------------\n[ 1987.176086] kernel BUG at mm/usercopy.c:102!\n[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5\n[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]\n[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90\n[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f\n[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246\n[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000\n[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff\n[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff\n[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a\n[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899\n[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000\n[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0\n[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1987.324527] PKRU: 55555554\n[ 1987.327622] Call Trace:\n[ 1987.330424] <TASK>\n[ 1987.332826] ? show_regs+0x6e/0x80\n[ 1987.336703] ? die+0x3c/0xa0\n[ 1987.339988] ? do_trap+0xd4/0xf0\n[ 1987.343662] ? do_error_trap+0x75/0xa0\n[ 1987.347922] ? usercopy_abort+0x72/0x90\n[ 1987.352277] ? exc_invalid_op+0x57/0x80\n[ 1987.356634] ? usercopy_abort+0x72/0x90\n[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30\n[ 1987.365734] ? usercopy_abort+0x72/0x90\n[ 1987.370088] __check_heap_object+0xb7/0xd0\n[ 1987.374739] __check_object_size+0x175/0x2d0\n[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]\n[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]\n[ 1987.389878] process_one_work+0x13e/0x300\n[ 1987.394435] ? __pfx_worker_thread+0x10/0x10\n[ 1987.399284] worker_thread+0x2f7/0x420\n[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 1987.409171] ? __pfx_worker_thread+0x10/0x10\n[ 1987.414019] kthread+0x107/0x140\n[ 1987.417693] ? __pfx_kthread+0x10/0x10\n[ 1987.421954] ret_from_fork+0x3d/0x60\n[ 1987.426019] ? __pfx_kthread+0x10/0x10\n[ 1987.430281] ret_from_fork_asm+0x1b/0x30\n[ 1987.434744] </TASK>\n\nThe issue arises because event log cache is created using\nkmem_cache_create() which is not suitable for user copy.\n\nFix the issue by creating event log cache with\nkmem_cache_create_usercopy(), ensuring safe user copy." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c2f156bf168f", + "lessThan": "5e3022ea42e4", + "status": "affected", + "versionType": "git" + }, + { + "version": "c2f156bf168f", + "lessThan": "bb71e0403231", + "status": "affected", + "versionType": "git" + }, + { + "version": "c2f156bf168f", + "lessThan": "d3ea125df37d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4" + }, + { + "url": "https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7" + }, + { + "url": "https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab" + } + ], + "title": "dmaengine: idxd: Ensure safe user copy of completion record", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26746", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26746.mbox b/cve/published/2024/CVE-2024-26746.mbox new file mode 100644 index 00000000..d3aef991 --- /dev/null +++ b/cve/published/2024/CVE-2024-26746.mbox @@ -0,0 +1,121 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26746: dmaengine: idxd: Ensure safe user copy of completion record +Message-Id: <2024040457-CVE-2024-26746-8aa9@gregkh> +Content-Length: 4873 +Lines: 104 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4978; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+eUp0xnXA327G7wqHWyRfnBsYIxgMyE619EysXInvoU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yYkX13F6T1lSO+l+y4KUnd3/5i8vfHpKsPe2kOLE/ + ab2UifiOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiiXsY5meKvJHu5ty900n4 + S4vumhVPdpSar2aYp5rD/eGql9/Vk/OP2qmfvvGi6Jd7IwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dmaengine: idxd: Ensure safe user copy of completion record + +If CONFIG_HARDENED_USERCOPY is enabled, copying completion record from +event log cache to user triggers a kernel bug. + +[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)! +[ 1987.170845] ------------[ cut here ]------------ +[ 1987.176086] kernel BUG at mm/usercopy.c:102! +[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5 +[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 +[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd] +[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90 +[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f +[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246 +[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000 +[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff +[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff +[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a +[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899 +[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000 +[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0 +[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +[ 1987.324527] PKRU: 55555554 +[ 1987.327622] Call Trace: +[ 1987.330424] <TASK> +[ 1987.332826] ? show_regs+0x6e/0x80 +[ 1987.336703] ? die+0x3c/0xa0 +[ 1987.339988] ? do_trap+0xd4/0xf0 +[ 1987.343662] ? do_error_trap+0x75/0xa0 +[ 1987.347922] ? usercopy_abort+0x72/0x90 +[ 1987.352277] ? exc_invalid_op+0x57/0x80 +[ 1987.356634] ? usercopy_abort+0x72/0x90 +[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30 +[ 1987.365734] ? usercopy_abort+0x72/0x90 +[ 1987.370088] __check_heap_object+0xb7/0xd0 +[ 1987.374739] __check_object_size+0x175/0x2d0 +[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd] +[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd] +[ 1987.389878] process_one_work+0x13e/0x300 +[ 1987.394435] ? __pfx_worker_thread+0x10/0x10 +[ 1987.399284] worker_thread+0x2f7/0x420 +[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50 +[ 1987.409171] ? __pfx_worker_thread+0x10/0x10 +[ 1987.414019] kthread+0x107/0x140 +[ 1987.417693] ? __pfx_kthread+0x10/0x10 +[ 1987.421954] ret_from_fork+0x3d/0x60 +[ 1987.426019] ? __pfx_kthread+0x10/0x10 +[ 1987.430281] ret_from_fork_asm+0x1b/0x30 +[ 1987.434744] </TASK> + +The issue arises because event log cache is created using +kmem_cache_create() which is not suitable for user copy. + +Fix the issue by creating event log cache with +kmem_cache_create_usercopy(), ensuring safe user copy. + +The Linux kernel CVE team has assigned CVE-2024-26746 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit c2f156bf168f and fixed in 6.6.21 with commit 5e3022ea42e4 + Issue introduced in 6.4 with commit c2f156bf168f and fixed in 6.7.9 with commit bb71e0403231 + Issue introduced in 6.4 with commit c2f156bf168f and fixed in 6.8 with commit d3ea125df37d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26746 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/dma/idxd/init.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4 + https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7 + https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab diff --git a/cve/published/2024/CVE-2024-26746.sha1 b/cve/published/2024/CVE-2024-26746.sha1 new file mode 100644 index 00000000..8fbf680d --- /dev/null +++ b/cve/published/2024/CVE-2024-26746.sha1 @@ -0,0 +1 @@ +d3ea125df37dc37972d581b74a5d3785c3f283ab diff --git a/cve/reserved/2024/CVE-2024-26750 b/cve/published/2024/CVE-2024-26750 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26750 +++ b/cve/published/2024/CVE-2024-26750 diff --git a/cve/published/2024/CVE-2024-26750.json b/cve/published/2024/CVE-2024-26750.json new file mode 100644 index 00000000..a9b4a19b --- /dev/null +++ b/cve/published/2024/CVE-2024-26750.json @@ -0,0 +1,63 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <NMI>\n </NMI>\n <TASK>\n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n </TASK>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "36f7371de977", + "lessThan": "6c480d0f1318", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.149", + "lessThan": "5.15.151", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6" + } + ], + "title": "af_unix: Drop oob_skb ref before purging queue in GC.", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26750", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26750.mbox b/cve/published/2024/CVE-2024-26750.mbox new file mode 100644 index 00000000..4c4ece8c --- /dev/null +++ b/cve/published/2024/CVE-2024-26750.mbox @@ -0,0 +1,111 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26750: af_unix: Drop oob_skb ref before purging queue in GC. +Message-Id: <2024040457-CVE-2024-26750-4468@gregkh> +Content-Length: 3957 +Lines: 94 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4052; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9tkpe3fxoGaI4zYD9HiJ0EP0cg8NlQnW2eeHODT5dIo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yYk/9Y9Ouy16YsKJg7OeJXTN+d7xS6n0W37u11+bN + z1Sq8r93xHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATmczJML90RkuYDS/LeoeM + 3dvUJU6JfFz2SJphwYIed1bLREXt/OSYhBbGtmlb7LacAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +af_unix: Drop oob_skb ref before purging queue in GC. + +syzbot reported another task hung in __unix_gc(). [0] + +The current while loop assumes that all of the left candidates +have oob_skb and calling kfree_skb(oob_skb) releases the remaining +candidates. + +However, I missed a case that oob_skb has self-referencing fd and +another fd and the latter sk is placed before the former in the +candidate list. Then, the while loop never proceeds, resulting +the task hung. + +__unix_gc() has the same loop just before purging the collected skb, +so we can call kfree_skb(oob_skb) there and let __skb_queue_purge() +release all inflight sockets. + +[0]: +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: events_unbound __unix_gc +RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 +Code: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70 +RSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287 +RAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80 +RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 +RBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84 +R10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee +R13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840 +FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <NMI> + </NMI> + <TASK> + __unix_gc+0xe69/0xf40 net/unix/garbage.c:343 + process_one_work kernel/workqueue.c:2633 [inline] + process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706 + worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787 + kthread+0x2ef/0x390 kernel/kthread.c:388 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + </TASK> + +The Linux kernel CVE team has assigned CVE-2024-26750 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15.149 with commit 36f7371de977 and fixed in 5.15.151 with commit 6c480d0f1318 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26750 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/unix/garbage.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6 + https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60 + https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d + https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787 + https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3 diff --git a/cve/published/2024/CVE-2024-26750.sha1 b/cve/published/2024/CVE-2024-26750.sha1 new file mode 100644 index 00000000..4e69cc31 --- /dev/null +++ b/cve/published/2024/CVE-2024-26750.sha1 @@ -0,0 +1 @@ +aa82ac51d63328714645c827775d64dbfd9941f3 diff --git a/cve/reserved/2024/CVE-2024-26780 b/cve/published/2024/CVE-2024-26780 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26780 +++ b/cve/published/2024/CVE-2024-26780 diff --git a/cve/published/2024/CVE-2024-26780.json b/cve/published/2024/CVE-2024-26780.json new file mode 100644 index 00000000..f8746f00 --- /dev/null +++ b/cve/published/2024/CVE-2024-26780.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <NMI>\n </NMI>\n <TASK>\n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n </TASK>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e0e09186d882", + "lessThan": "2a3d40b4025f", + "status": "affected", + "versionType": "git" + }, + { + "version": "b74aa9ce13d0", + "lessThan": "69e0f04460f4", + "status": "affected", + "versionType": "git" + }, + { + "version": "82ae47c5c3a6", + "lessThan": "cb8890318dde", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.78", + "lessThan": "6.1.81", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.6.17", + "lessThan": "6.6.21", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.7.5", + "lessThan": "6.7.9", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669" + }, + { + "url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3" + }, + { + "url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91" + } + ], + "title": "af_unix: Fix task hung while purging oob_skb in GC.", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26780", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26780.mbox b/cve/published/2024/CVE-2024-26780.mbox new file mode 100644 index 00000000..bb95db5b --- /dev/null +++ b/cve/published/2024/CVE-2024-26780.mbox @@ -0,0 +1,132 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26780: af_unix: Fix task hung while purging oob_skb in GC. +Message-Id: <2024040458-CVE-2024-26780-9951@gregkh> +Content-Length: 5158 +Lines: 115 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5274; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=RBRKBoDPG9GtAqDAXgZvSUwH1NNsAVlC4gcxCuYW6Ys=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yUmlTlPfTJfukbvekv9j6+kjEzWUFsc9V5u/9Ftl0 + Lljl3r+d8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEPnQwzC//laWjtzo42IhN + 6Ytyy8fw3aGL9RjmZxWo837mX9bbY/DXmMVW00HSyfYTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +af_unix: Fix task hung while purging oob_skb in GC. + +syzbot reported a task hung; at the same time, GC was looping infinitely +in list_for_each_entry_safe() for OOB skb. [0] + +syzbot demonstrated that the list_for_each_entry_safe() was not actually +safe in this case. + +A single skb could have references for multiple sockets. If we free such +a skb in the list_for_each_entry_safe(), the current and next sockets could +be unlinked in a single iteration. + +unix_notinflight() uses list_del_init() to unlink the socket, so the +prefetched next socket forms a loop itself and list_for_each_entry_safe() +never stops. + +Here, we must use while() and make sure we always fetch the first socket. + +[0]: +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] +RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] +RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 +Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 +RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 +RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 +RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 +RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c +R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 +R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <NMI> + </NMI> + <TASK> + unix_gc+0x563/0x13b0 net/unix/garbage.c:319 + unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 + unix_release+0x91/0xf0 net/unix/af_unix.c:1064 + __sock_release+0xb0/0x270 net/socket.c:659 + sock_close+0x1c/0x30 net/socket.c:1421 + __fput+0x270/0xb80 fs/file_table.c:376 + task_work_run+0x14f/0x250 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xa8a/0x2ad0 kernel/exit.c:871 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 + __do_sys_exit_group kernel/exit.c:1031 [inline] + __se_sys_exit_group kernel/exit.c:1029 [inline] + __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f9d6cbdac09 +Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. +RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 +RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 +R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 +R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70 + </TASK> + +The Linux kernel CVE team has assigned CVE-2024-26780 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1.78 with commit e0e09186d882 and fixed in 6.1.81 with commit 2a3d40b4025f + Issue introduced in 6.6.17 with commit b74aa9ce13d0 and fixed in 6.6.21 with commit 69e0f04460f4 + Issue introduced in 6.7.5 with commit 82ae47c5c3a6 and fixed in 6.7.9 with commit cb8890318dde + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26780 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/unix/garbage.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c + https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669 + https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3 + https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91 + https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839 diff --git a/cve/published/2024/CVE-2024-26780.sha1 b/cve/published/2024/CVE-2024-26780.sha1 new file mode 100644 index 00000000..dc0ddb94 --- /dev/null +++ b/cve/published/2024/CVE-2024-26780.sha1 @@ -0,0 +1 @@ +25236c91b5ab4a26a56ba2e79b8060cf4e047839 diff --git a/cve/reserved/2024/CVE-2024-26781 b/cve/published/2024/CVE-2024-26781 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26781 +++ b/cve/published/2024/CVE-2024-26781 diff --git a/cve/published/2024/CVE-2024-26781.json b/cve/published/2024/CVE-2024-26781.json new file mode 100644 index 00000000..d275e258 --- /dev/null +++ b/cve/published/2024/CVE-2024-26781.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "8affdbb3e2ef", + "lessThan": "70e5b013538d", + "status": "affected", + "versionType": "git" + }, + { + "version": "7d6e8d7ee13b", + "lessThan": "cc32ba2fdf3f", + "status": "affected", + "versionType": "git" + }, + { + "version": "71787c665d09", + "lessThan": "f27d319df055", + "status": "affected", + "versionType": "git" + }, + { + "version": "e074c8297ee4", + "lessThan": "fa8c776f4c32", + "status": "affected", + "versionType": "git" + }, + { + "version": "298ac00da8e6", + "lessThan": "d487e7ba1bc7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.211", + "lessThan": "5.10.212", + "status": "affected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThan": "5.15.151", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThan": "6.1.81", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThan": "6.6.21", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThan": "6.7.9", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee" + }, + { + "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d" + }, + { + "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e" + }, + { + "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430" + }, + { + "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63" + } + ], + "title": "mptcp: fix possible deadlock in subflow diag", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26781", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26781.mbox b/cve/published/2024/CVE-2024-26781.mbox new file mode 100644 index 00000000..ef242e83 --- /dev/null +++ b/cve/published/2024/CVE-2024-26781.mbox @@ -0,0 +1,150 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26781: mptcp: fix possible deadlock in subflow diag +Message-Id: <2024040458-CVE-2024-26781-0389@gregkh> +Content-Length: 6146 +Lines: 133 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6280; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Iq724xf8zDBBub7jZWKHHvFxMDuiC6Q2EYn7C+3ZR9I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yUktj73q//yZ/27H1ZUsigyTXkyseCZ6+fOGAt3i4 + hxvxSmdHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRuSUM810+CB83nHpIO/tk + VViCiTartbmfL8M862ubpS+cdv5i+OS4qaim1NTbh5WLAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mptcp: fix possible deadlock in subflow diag + +Syzbot and Eric reported a lockdep splat in the subflow diag: + + WARNING: possible circular locking dependency detected + 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted + + syz-executor.2/24141 is trying to acquire lock: + ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: + tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] + ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: + tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137 + + but task is already holding lock: + ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock + include/linux/spinlock.h:351 [inline] + ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: + inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}: + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743 + inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261 + __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217 + inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239 + rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316 + rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577 + ops_init+0x352/0x610 net/core/net_namespace.c:136 + __register_pernet_operations net/core/net_namespace.c:1214 [inline] + register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283 + register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370 + rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735 + do_one_initcall+0x238/0x830 init/main.c:1236 + do_initcall_level+0x157/0x210 init/main.c:1298 + do_initcalls+0x3f/0x80 init/main.c:1314 + kernel_init_freeable+0x42f/0x5d0 init/main.c:1551 + kernel_init+0x1d/0x2a0 init/main.c:1441 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + + -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + lock_sock_fast include/net/sock.h:1723 [inline] + subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28 + tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline] + tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137 + inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345 + inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061 + __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263 + inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371 + netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264 + __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370 + netlink_dump_start include/linux/netlink.h:338 [inline] + inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405 + sock_diag_rcv_msg+0xe7/0x410 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +As noted by Eric we can break the lock dependency chain avoid +dumping any extended info for the mptcp subflow listener: +nothing actually useful is presented there. + +The Linux kernel CVE team has assigned CVE-2024-26781 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.10.211 with commit 8affdbb3e2ef and fixed in 5.10.212 with commit 70e5b013538d + Issue introduced in 5.15.150 with commit 7d6e8d7ee13b and fixed in 5.15.151 with commit cc32ba2fdf3f + Issue introduced in 6.1.80 with commit 71787c665d09 and fixed in 6.1.81 with commit f27d319df055 + Issue introduced in 6.6.19 with commit e074c8297ee4 and fixed in 6.6.21 with commit fa8c776f4c32 + Issue introduced in 6.7.7 with commit 298ac00da8e6 and fixed in 6.7.9 with commit d487e7ba1bc7 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26781 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mptcp/diag.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee + https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d + https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e + https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430 + https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63 + https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe diff --git a/cve/published/2024/CVE-2024-26781.sha1 b/cve/published/2024/CVE-2024-26781.sha1 new file mode 100644 index 00000000..159f8807 --- /dev/null +++ b/cve/published/2024/CVE-2024-26781.sha1 @@ -0,0 +1 @@ +d6a9608af9a75d13243d217f6ce1e30e57d56ffe diff --git a/cve/reserved/2024/CVE-2024-26782 b/cve/published/2024/CVE-2024-26782 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26782 +++ b/cve/published/2024/CVE-2024-26782 diff --git a/cve/published/2024/CVE-2024-26782.json b/cve/published/2024/CVE-2024-26782.json new file mode 100644 index 00000000..abf5a84d --- /dev/null +++ b/cve/published/2024/CVE-2024-26782.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n <IRQ>\n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n </TASK>\n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "cf7da0d66cc1", + "lessThan": "f74362a00422", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf7da0d66cc1", + "lessThan": "4a4eeb691253", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf7da0d66cc1", + "lessThan": "d93fd40c6239", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf7da0d66cc1", + "lessThan": "ce0809ada38d", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf7da0d66cc1", + "lessThan": "85933e80d077", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf7da0d66cc1", + "lessThan": "10048689def7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e" + }, + { + "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e" + }, + { + "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85" + }, + { + "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582" + }, + { + "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc" + }, + { + "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c" + } + ], + "title": "mptcp: fix double-free on socket dismantle", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26782", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26782.mbox b/cve/published/2024/CVE-2024-26782.mbox new file mode 100644 index 00000000..4cab93ba --- /dev/null +++ b/cve/published/2024/CVE-2024-26782.mbox @@ -0,0 +1,181 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26782: mptcp: fix double-free on socket dismantle +Message-Id: <2024040458-CVE-2024-26782-71ca@gregkh> +Content-Length: 6675 +Lines: 164 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6840; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cqtIbh0i0IOKaKgsivelwxmS/u3RRz1izCaqb/UVT00=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yUl9BUvLHB2ffz0fUG3V+cWHh2nm1pBN8T28Iew1C + 0IM8391xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwETOdjIsmGf2TWCHYFFRS0QU + u9MdLl0NC64LDPMDrL+dOvX/g5z9sae+Gl9ERK9kszcCAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mptcp: fix double-free on socket dismantle + +when MPTCP server accepts an incoming connection, it clones its listener +socket. However, the pointer to 'inet_opt' for the new socket has the same +value as the original one: as a consequence, on program exit it's possible +to observe the following splat: + + BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 + Free of addr ffff888485950880 by task swapper/25/0 + + CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 + Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 + Call Trace: + <IRQ> + dump_stack_lvl+0x32/0x50 + print_report+0xca/0x620 + kasan_report_invalid_free+0x64/0x90 + __kasan_slab_free+0x1aa/0x1f0 + kfree+0xed/0x2e0 + inet_sock_destruct+0x54f/0x8b0 + __sk_destruct+0x48/0x5b0 + rcu_do_batch+0x34e/0xd90 + rcu_core+0x559/0xac0 + __do_softirq+0x183/0x5a4 + irq_exit_rcu+0x12d/0x170 + sysvec_apic_timer_interrupt+0x6b/0x80 + </IRQ> + <TASK> + asm_sysvec_apic_timer_interrupt+0x16/0x20 + RIP: 0010:cpuidle_enter_state+0x175/0x300 + Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b + RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 + RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 + RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 + RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 + R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 + R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 + cpuidle_enter+0x4a/0xa0 + do_idle+0x310/0x410 + cpu_startup_entry+0x51/0x60 + start_secondary+0x211/0x270 + secondary_startup_64_no_verify+0x184/0x18b + </TASK> + + Allocated by task 6853: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + __kasan_kmalloc+0xa6/0xb0 + __kmalloc+0x1eb/0x450 + cipso_v4_sock_setattr+0x96/0x360 + netlbl_sock_setattr+0x132/0x1f0 + selinux_netlbl_socket_post_create+0x6c/0x110 + selinux_socket_post_create+0x37b/0x7f0 + security_socket_post_create+0x63/0xb0 + __sock_create+0x305/0x450 + __sys_socket_create.part.23+0xbd/0x130 + __sys_socket+0x37/0xb0 + __x64_sys_socket+0x6f/0xb0 + do_syscall_64+0x83/0x160 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + + Freed by task 6858: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x3b/0x60 + __kasan_slab_free+0x12c/0x1f0 + kfree+0xed/0x2e0 + inet_sock_destruct+0x54f/0x8b0 + __sk_destruct+0x48/0x5b0 + subflow_ulp_release+0x1f0/0x250 + tcp_cleanup_ulp+0x6e/0x110 + tcp_v4_destroy_sock+0x5a/0x3a0 + inet_csk_destroy_sock+0x135/0x390 + tcp_fin+0x416/0x5c0 + tcp_data_queue+0x1bc8/0x4310 + tcp_rcv_state_process+0x15a3/0x47b0 + tcp_v4_do_rcv+0x2c1/0x990 + tcp_v4_rcv+0x41fb/0x5ed0 + ip_protocol_deliver_rcu+0x6d/0x9f0 + ip_local_deliver_finish+0x278/0x360 + ip_local_deliver+0x182/0x2c0 + ip_rcv+0xb5/0x1c0 + __netif_receive_skb_one_core+0x16e/0x1b0 + process_backlog+0x1e3/0x650 + __napi_poll+0xa6/0x500 + net_rx_action+0x740/0xbb0 + __do_softirq+0x183/0x5a4 + + The buggy address belongs to the object at ffff888485950880 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes inside of + 64-byte region [ffff888485950880, ffff8884859508c0) + + The buggy address belongs to the physical page: + page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 + flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) + page_type: 0xffffffff() + raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 + raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888485950780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff888485950800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + >ffff888485950880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ^ + ffff888485950900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff888485950980: 00 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc + +Something similar (a refcount underflow) happens with CALIPSO/IPv6. Fix +this by duplicating IP / IPv6 options after clone, so that +ip{,6}_sock_destruct() doesn't end up freeing the same memory area twice. + +The Linux kernel CVE team has assigned CVE-2024-26782 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 5.10.212 with commit f74362a00422 + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 5.15.151 with commit 4a4eeb691253 + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 6.1.81 with commit d93fd40c6239 + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 6.6.21 with commit ce0809ada38d + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 6.7.9 with commit 85933e80d077 + Issue introduced in 5.6 with commit cf7da0d66cc1 and fixed in 6.8 with commit 10048689def7 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26782 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mptcp/protocol.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e + https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e + https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85 + https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582 + https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc + https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c diff --git a/cve/published/2024/CVE-2024-26782.sha1 b/cve/published/2024/CVE-2024-26782.sha1 new file mode 100644 index 00000000..ed4ef8c4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26782.sha1 @@ -0,0 +1 @@ +10048689def7e40a4405acda16fdc6477d4ecc5c diff --git a/cve/reserved/2024/CVE-2024-26783 b/cve/published/2024/CVE-2024-26783 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26783 +++ b/cve/published/2024/CVE-2024-26783 diff --git a/cve/published/2024/CVE-2024-26783.json b/cve/published/2024/CVE-2024-26783.json new file mode 100644 index 00000000..3fcacba5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26783.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn't have its local memory so it has no managed zones, the following\noops has been observed. It's because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n> BUG: unable to handle page fault for address: 00000000000033f3\n> #PF: supervisor read access in kernel mode\n> #PF: error_code(0x0000) - not-present page\n> PGD 0 P4D 0\n> Oops: 0000 [#1] PREEMPT SMP NOPTI\n> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n> Code: (omitted)\n> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> PKRU: 55555554\n> Call Trace:\n> <TASK>\n> ? __die\n> ? page_fault_oops\n> ? __pte_offset_map_lock\n> ? exc_page_fault\n> ? asm_exc_page_fault\n> ? wakeup_kswapd\n> migrate_misplaced_page\n> __handle_mm_fault\n> handle_mm_fault\n> do_user_addr_fault\n> exc_page_fault\n> asm_exc_page_fault\n> RIP: 0033:0x55b897ba0808\n> Code: (omitted)\n> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n> </TASK>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c574bbe91703", + "lessThan": "d6159bd4c005", + "status": "affected", + "versionType": "git" + }, + { + "version": "c574bbe91703", + "lessThan": "bdd21eed8b72", + "status": "affected", + "versionType": "git" + }, + { + "version": "c574bbe91703", + "lessThan": "2774f256e7c0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.22", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e" + }, + { + "url": "https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080" + }, + { + "url": "https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974" + } + ], + "title": "mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26783", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26783.mbox b/cve/published/2024/CVE-2024-26783.mbox new file mode 100644 index 00000000..6da6c163 --- /dev/null +++ b/cve/published/2024/CVE-2024-26783.mbox @@ -0,0 +1,116 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26783: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index +Message-Id: <2024040458-CVE-2024-26783-68c8@gregkh> +Content-Length: 3973 +Lines: 99 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4073; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=tolXngncyBYkNcuWluUEVSd+L6TQSC/JcwNv4A9qFw4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yUmdj++ffRKhKz15Otuvqfcfm++4+nj7Fu2MS86Fx + 4VXPNu4uiOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAmMm0bwzxdvXfMHx2qL4d4 + Gx97tHmbb43EAQuGeYZScu13r877ebV7Hpv8IjNHjfVCswE= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index + +With numa balancing on, when a numa system is running where a numa node +doesn't have its local memory so it has no managed zones, the following +oops has been observed. It's because wakeup_kswapd() is called with a +wrong zone index, -1. Fixed it by checking the index before calling +wakeup_kswapd(). + +> BUG: unable to handle page fault for address: 00000000000033f3 +> #PF: supervisor read access in kernel mode +> #PF: error_code(0x0000) - not-present page +> PGD 0 P4D 0 +> Oops: 0000 [#1] PREEMPT SMP NOPTI +> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 +> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) +> Code: (omitted) +> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 +> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 +> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 +> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff +> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 +> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 +> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 +> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 +> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> PKRU: 55555554 +> Call Trace: +> <TASK> +> ? __die +> ? page_fault_oops +> ? __pte_offset_map_lock +> ? exc_page_fault +> ? asm_exc_page_fault +> ? wakeup_kswapd +> migrate_misplaced_page +> __handle_mm_fault +> handle_mm_fault +> do_user_addr_fault +> exc_page_fault +> asm_exc_page_fault +> RIP: 0033:0x55b897ba0808 +> Code: (omitted) +> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 +> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 +> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 +> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 +> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 +> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 +> </TASK> + +The Linux kernel CVE team has assigned CVE-2024-26783 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.18 with commit c574bbe91703 and fixed in 6.6.22 with commit d6159bd4c005 + Issue introduced in 5.18 with commit c574bbe91703 and fixed in 6.7.9 with commit bdd21eed8b72 + Issue introduced in 5.18 with commit c574bbe91703 and fixed in 6.8 with commit 2774f256e7c0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26783 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + mm/migrate.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e + https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080 + https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974 diff --git a/cve/published/2024/CVE-2024-26783.sha1 b/cve/published/2024/CVE-2024-26783.sha1 new file mode 100644 index 00000000..aabf947d --- /dev/null +++ b/cve/published/2024/CVE-2024-26783.sha1 @@ -0,0 +1 @@ +2774f256e7c0219e2b0a0894af1c76bdabc4f974 diff --git a/cve/reserved/2024/CVE-2024-26784 b/cve/published/2024/CVE-2024-26784 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26784 +++ b/cve/published/2024/CVE-2024-26784 diff --git a/cve/published/2024/CVE-2024-26784.json b/cve/published/2024/CVE-2024-26784.json new file mode 100644 index 00000000..61ad3f80 --- /dev/null +++ b/cve/published/2024/CVE-2024-26784.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: Fix NULL dereference on scmi_perf_domain removal\n\nOn unloading of the scmi_perf_domain module got the below splat, when in\nthe DT provided to the system under test the '#power-domain-cells' property\nwas missing. Indeed, this particular setup causes the probe to bail out\nearly without giving any error, which leads to the ->remove() callback gets\nto run too, but without all the expected initialized structures in place.\n\nAdd a check and bail out early on remove too.\n\n Call trace:\n scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain]\n scmi_dev_remove+0x28/0x40 [scmi_core]\n device_remove+0x54/0x90\n device_release_driver_internal+0x1dc/0x240\n driver_detach+0x58/0xa8\n bus_remove_driver+0x78/0x108\n driver_unregister+0x38/0x70\n scmi_driver_unregister+0x28/0x180 [scmi_core]\n scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain]\n __arm64_sys_delete_module+0x1a8/0x2c0\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0xb8\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x190/0x198\n Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80)\n ---[ end trace 0000000000000000 ]---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2af23ceb8624", + "lessThan": "f6aaf131e4d4", + "status": "affected", + "versionType": "git" + }, + { + "version": "2af23ceb8624", + "lessThan": "eb5555d422d0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d" + }, + { + "url": "https://git.kernel.org/stable/c/eb5555d422d0fc325e1574a7353d3c616f82d8b5" + } + ], + "title": "pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26784", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26784.mbox b/cve/published/2024/CVE-2024-26784.mbox new file mode 100644 index 00000000..c1f9fc05 --- /dev/null +++ b/cve/published/2024/CVE-2024-26784.mbox @@ -0,0 +1,90 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26784: pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal +Message-Id: <2024040459-CVE-2024-26784-9e9c@gregkh> +Content-Length: 2719 +Lines: 73 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2793; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=wOnUjCy+1M1NSTfanO7LLSz8vzH023xB7MQoVw/3gEM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yckvj03MYlNePe/Eo+hbF1vlnhUWuPfuOSv8Jpnr9 + iQx5fMnOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiGxYyLDgvo79kpZ+twIaT + 1408xIP1Z7T3nWVY0HF3XteOHatZO+w2ZeicmP/6fn6hGwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +pmdomain: arm: Fix NULL dereference on scmi_perf_domain removal + +On unloading of the scmi_perf_domain module got the below splat, when in +the DT provided to the system under test the '#power-domain-cells' property +was missing. Indeed, this particular setup causes the probe to bail out +early without giving any error, which leads to the ->remove() callback gets +to run too, but without all the expected initialized structures in place. + +Add a check and bail out early on remove too. + + Call trace: + scmi_perf_domain_remove+0x28/0x70 [scmi_perf_domain] + scmi_dev_remove+0x28/0x40 [scmi_core] + device_remove+0x54/0x90 + device_release_driver_internal+0x1dc/0x240 + driver_detach+0x58/0xa8 + bus_remove_driver+0x78/0x108 + driver_unregister+0x38/0x70 + scmi_driver_unregister+0x28/0x180 [scmi_core] + scmi_perf_domain_driver_exit+0x18/0xb78 [scmi_perf_domain] + __arm64_sys_delete_module+0x1a8/0x2c0 + invoke_syscall+0x50/0x128 + el0_svc_common.constprop.0+0x48/0xf0 + do_el0_svc+0x24/0x38 + el0_svc+0x34/0xb8 + el0t_64_sync_handler+0x100/0x130 + el0t_64_sync+0x190/0x198 + Code: a90153f3 f9403c14 f9414800 955f8a05 (b9400a80) + ---[ end trace 0000000000000000 ]--- + +The Linux kernel CVE team has assigned CVE-2024-26784 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 2af23ceb8624 and fixed in 6.7.9 with commit f6aaf131e4d4 + Issue introduced in 6.7 with commit 2af23ceb8624 and fixed in 6.8 with commit eb5555d422d0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26784 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/pmdomain/arm/scmi_perf_domain.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f6aaf131e4d4a9a26040ecc018eb70ab8b3d355d + https://git.kernel.org/stable/c/eb5555d422d0fc325e1574a7353d3c616f82d8b5 diff --git a/cve/published/2024/CVE-2024-26784.sha1 b/cve/published/2024/CVE-2024-26784.sha1 new file mode 100644 index 00000000..98d34685 --- /dev/null +++ b/cve/published/2024/CVE-2024-26784.sha1 @@ -0,0 +1 @@ +eb5555d422d0fc325e1574a7353d3c616f82d8b5 diff --git a/cve/reserved/2024/CVE-2024-26785 b/cve/published/2024/CVE-2024-26785 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26785 +++ b/cve/published/2024/CVE-2024-26785 diff --git a/cve/published/2024/CVE-2024-26785.json b/cve/published/2024/CVE-2024-26785.json new file mode 100644 index 00000000..76113e15 --- /dev/null +++ b/cve/published/2024/CVE-2024-26785.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n Call Trace:\n lock_acquire\n lock_acquire+0x1ce/0x4f0\n down_read+0x93/0x4a0\n iommufd_test_syz_conv_iova+0x56/0x1f0\n iommufd_test_access_rw.isra.0+0x2ec/0x390\n iommufd_test+0x1058/0x1e30\n iommufd_fops_ioctl+0x381/0x510\n vfs_ioctl\n __do_sys_ioctl\n __se_sys_ioctl\n __x64_sys_ioctl+0x170/0x1e0\n do_syscall_x64\n do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access->ioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access->ioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9227da7816dd", + "lessThan": "fc719ecbca45", + "status": "affected", + "versionType": "git" + }, + { + "version": "9227da7816dd", + "lessThan": "cf7c2789822d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b" + }, + { + "url": "https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48" + } + ], + "title": "iommufd: Fix protection fault in iommufd_test_syz_conv_iova", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26785", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26785.mbox b/cve/published/2024/CVE-2024-26785.mbox new file mode 100644 index 00000000..7c72ce53 --- /dev/null +++ b/cve/published/2024/CVE-2024-26785.mbox @@ -0,0 +1,88 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26785: iommufd: Fix protection fault in iommufd_test_syz_conv_iova +Message-Id: <2024040459-CVE-2024-26785-857d@gregkh> +Content-Length: 2457 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2529; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=4naI0LgSv30+gTPJU/DPYCdc7ehYrpzxOoSR8bPs+W0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yckhUVNtNv+4ZlPoc4uFpbNLQLf3zdwd4m+fXM8QD + jrvoL+kI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZi/YJhwdTil8ej/3rv/aWU + Pf80K4vy1dz0jwwLNs57F3p2ZUn/i9RExs0P2CS683cwAgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +iommufd: Fix protection fault in iommufd_test_syz_conv_iova + +Syzkaller reported the following bug: + + general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN + KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] + Call Trace: + lock_acquire + lock_acquire+0x1ce/0x4f0 + down_read+0x93/0x4a0 + iommufd_test_syz_conv_iova+0x56/0x1f0 + iommufd_test_access_rw.isra.0+0x2ec/0x390 + iommufd_test+0x1058/0x1e30 + iommufd_fops_ioctl+0x381/0x510 + vfs_ioctl + __do_sys_ioctl + __se_sys_ioctl + __x64_sys_ioctl+0x170/0x1e0 + do_syscall_x64 + do_syscall_64+0x71/0x140 + +This is because the new iommufd_access_change_ioas() sets access->ioas to +NULL during its process, so the lock might be gone in a concurrent racing +context. + +Fix this by doing the same access->ioas sanity as iommufd_access_rw() and +iommufd_access_pin_pages() functions do. + +The Linux kernel CVE team has assigned CVE-2024-26785 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit 9227da7816dd and fixed in 6.7.9 with commit fc719ecbca45 + Issue introduced in 6.6 with commit 9227da7816dd and fixed in 6.8 with commit cf7c2789822d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26785 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/iommu/iommufd/selftest.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b + https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48 diff --git a/cve/published/2024/CVE-2024-26785.sha1 b/cve/published/2024/CVE-2024-26785.sha1 new file mode 100644 index 00000000..8e01b4fe --- /dev/null +++ b/cve/published/2024/CVE-2024-26785.sha1 @@ -0,0 +1 @@ +cf7c2789822db8b5efa34f5ebcf1621bc0008d48 diff --git a/cve/reserved/2024/CVE-2024-26786 b/cve/published/2024/CVE-2024-26786 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26786 +++ b/cve/published/2024/CVE-2024-26786 diff --git a/cve/published/2024/CVE-2024-26786.json b/cve/published/2024/CVE-2024-26786.json new file mode 100644 index 00000000..c307e5b7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26786.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n Call Trace:\n iommufd_access_change_ioas+0x2fe/0x4e0\n iommufd_access_destroy_object+0x50/0xb0\n iommufd_object_remove+0x2a3/0x490\n iommufd_object_destroy_user\n iommufd_access_destroy+0x71/0xb0\n iommufd_test_staccess_release+0x89/0xd0\n __fput+0x272/0xb50\n __fput_sync+0x4b/0x60\n __do_sys_close\n __se_sys_close\n __x64_sys_close+0x8b/0x110\n do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access->iopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9227da7816dd", + "lessThan": "f1fb745ee0a6", + "status": "affected", + "versionType": "git" + }, + { + "version": "9227da7816dd", + "lessThan": "9526a46cc0c3", + "status": "affected", + "versionType": "git" + }, + { + "version": "9227da7816dd", + "lessThan": "aeb004c0cd69", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9" + }, + { + "url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0" + }, + { + "url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539" + } + ], + "title": "iommufd: Fix iopt_access_list_id overwrite bug", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26786", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26786.mbox b/cve/published/2024/CVE-2024-26786.mbox new file mode 100644 index 00000000..1af540fe --- /dev/null +++ b/cve/published/2024/CVE-2024-26786.mbox @@ -0,0 +1,89 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26786: iommufd: Fix iopt_access_list_id overwrite bug +Message-Id: <2024040459-CVE-2024-26786-802f@gregkh> +Content-Length: 2636 +Lines: 72 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2709; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=iWIsrOxJR3cXePC8Sf3n5gDOJRlCWlE8XRBZ6RsP/GY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8ycmtVWfESwvP8KfmBJ37wHb38fafWyQr1RZ4rOHOu + nrwlplmRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzksx/Dgu5Sc8W2J3fttC/I + vJ6rxnTkxjc7eYZ5qr1Ppmr1xDTe/KhYdkrx0vH8P/HeAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +iommufd: Fix iopt_access_list_id overwrite bug + +Syzkaller reported the following WARN_ON: + WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360 + + Call Trace: + iommufd_access_change_ioas+0x2fe/0x4e0 + iommufd_access_destroy_object+0x50/0xb0 + iommufd_object_remove+0x2a3/0x490 + iommufd_object_destroy_user + iommufd_access_destroy+0x71/0xb0 + iommufd_test_staccess_release+0x89/0xd0 + __fput+0x272/0xb50 + __fput_sync+0x4b/0x60 + __do_sys_close + __se_sys_close + __x64_sys_close+0x8b/0x110 + do_syscall_x64 + +The mismatch between the access pointer in the list and the passed-in +pointer is resulting from an overwrite of access->iopt_access_list_id, in +iopt_add_access(). Called from iommufd_access_change_ioas() when +xa_alloc() succeeds but iopt_calculate_iova_alignment() fails. + +Add a new_id in iopt_add_access() and only update iopt_access_list_id when +returning successfully. + +The Linux kernel CVE team has assigned CVE-2024-26786 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit 9227da7816dd and fixed in 6.6.21 with commit f1fb745ee0a6 + Issue introduced in 6.6 with commit 9227da7816dd and fixed in 6.7.9 with commit 9526a46cc0c3 + Issue introduced in 6.6 with commit 9227da7816dd and fixed in 6.8 with commit aeb004c0cd69 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26786 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/iommu/iommufd/io_pagetable.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9 + https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0 + https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539 diff --git a/cve/published/2024/CVE-2024-26786.sha1 b/cve/published/2024/CVE-2024-26786.sha1 new file mode 100644 index 00000000..4ba6faad --- /dev/null +++ b/cve/published/2024/CVE-2024-26786.sha1 @@ -0,0 +1 @@ +aeb004c0cd6958e910123a1607634401009c9539 diff --git a/cve/reserved/2024/CVE-2024-26787 b/cve/published/2024/CVE-2024-26787 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26787 +++ b/cve/published/2024/CVE-2024-26787 diff --git a/cve/published/2024/CVE-2024-26787.json b/cve/published/2024/CVE-2024-26787.json new file mode 100644 index 00000000..81bc5b21 --- /dev/null +++ b/cve/published/2024/CVE-2024-26787.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "46b723dd867d", + "lessThan": "0224cbc53ba8", + "status": "affected", + "versionType": "git" + }, + { + "version": "46b723dd867d", + "lessThan": "5ae5060e17a3", + "status": "affected", + "versionType": "git" + }, + { + "version": "46b723dd867d", + "lessThan": "70af82bb9c89", + "status": "affected", + "versionType": "git" + }, + { + "version": "46b723dd867d", + "lessThan": "176e66269f0d", + "status": "affected", + "versionType": "git" + }, + { + "version": "46b723dd867d", + "lessThan": "d610a3072259", + "status": "affected", + "versionType": "git" + }, + { + "version": "46b723dd867d", + "lessThan": "6b1ba3f9040b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.20", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.20", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.213", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.152", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53" + }, + { + "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c" + }, + { + "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef" + }, + { + "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4" + }, + { + "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85" + }, + { + "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be" + } + ], + "title": "mmc: mmci: stm32: fix DMA API overlapping mappings warning", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26787", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26787.mbox b/cve/published/2024/CVE-2024-26787.mbox new file mode 100644 index 00000000..535f68e0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26787.mbox @@ -0,0 +1,107 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26787: mmc: mmci: stm32: fix DMA API overlapping mappings warning +Message-Id: <2024040459-CVE-2024-26787-48c0@gregkh> +Content-Length: 3548 +Lines: 90 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3639; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=K9y2AQgrrgz3p5DJ8n849eLL1qPCIywutx+0o/07m/A=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8ycncWanSRjraG0ptf9hKLePUMfuTsESq8n5bns/9j + 4+u+0zqiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIns/cYwV0a9ylh4VpOKs0nr + 47g5oU+X5K+IY1hw9fTuAxZsuhY+C5JuebXELtntK78WAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mmc: mmci: stm32: fix DMA API overlapping mappings warning + +Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: + +DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, +overlapping mappings aren't supported +WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 +add_dma_entry+0x234/0x2f4 +Modules linked in: +CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 +Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) +Workqueue: events_freezable mmc_rescan +Call trace: +add_dma_entry+0x234/0x2f4 +debug_dma_map_sg+0x198/0x350 +__dma_map_sg_attrs+0xa0/0x110 +dma_map_sg_attrs+0x10/0x2c +sdmmc_idma_prep_data+0x80/0xc0 +mmci_prep_data+0x38/0x84 +mmci_start_data+0x108/0x2dc +mmci_request+0xe4/0x190 +__mmc_start_request+0x68/0x140 +mmc_start_request+0x94/0xc0 +mmc_wait_for_req+0x70/0x100 +mmc_send_tuning+0x108/0x1ac +sdmmc_execute_tuning+0x14c/0x210 +mmc_execute_tuning+0x48/0xec +mmc_sd_init_uhs_card.part.0+0x208/0x464 +mmc_sd_init_card+0x318/0x89c +mmc_attach_sd+0xe4/0x180 +mmc_rescan+0x244/0x320 + +DMA API debug brings to light leaking dma-mappings as dma_map_sg and +dma_unmap_sg are not correctly balanced. + +If an error occurs in mmci_cmd_irq function, only mmci_dma_error +function is called and as this API is not managed on stm32 variant, +dma_unmap_sg is never called in this error path. + +The Linux kernel CVE team has assigned CVE-2024-26787 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 5.10.213 with commit 0224cbc53ba8 + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 5.15.152 with commit 5ae5060e17a3 + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 6.1.81 with commit 70af82bb9c89 + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 6.6.21 with commit 176e66269f0d + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 6.7.9 with commit d610a3072259 + Issue introduced in 4.20 with commit 46b723dd867d and fixed in 6.8 with commit 6b1ba3f9040b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26787 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/mmc/host/mmci_stm32_sdmmc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53 + https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c + https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef + https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4 + https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85 + https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be diff --git a/cve/published/2024/CVE-2024-26787.sha1 b/cve/published/2024/CVE-2024-26787.sha1 new file mode 100644 index 00000000..0c15b848 --- /dev/null +++ b/cve/published/2024/CVE-2024-26787.sha1 @@ -0,0 +1 @@ +6b1ba3f9040be5efc4396d86c9752cdc564730be diff --git a/cve/reserved/2024/CVE-2024-26788 b/cve/published/2024/CVE-2024-26788 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26788 +++ b/cve/published/2024/CVE-2024-26788 diff --git a/cve/published/2024/CVE-2024-26788.json b/cve/published/2024/CVE-2024-26788.json new file mode 100644 index 00000000..64f33a0e --- /dev/null +++ b/cve/published/2024/CVE-2024-26788.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b092529e0aa0", + "lessThan": "3cc5fb824c21", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "9579a21e99fe", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "4529c084a320", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "474d521da890", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "a69c8bbb9469", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "677102a93064", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "87a39071e0b6", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478" + }, + { + "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1" + }, + { + "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b" + }, + { + "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99" + }, + { + "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d" + }, + { + "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8" + }, + { + "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd" + } + ], + "title": "dmaengine: fsl-qdma: init irq after reg initialization", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26788", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26788.mbox b/cve/published/2024/CVE-2024-26788.mbox new file mode 100644 index 00000000..13f1b2ae --- /dev/null +++ b/cve/published/2024/CVE-2024-26788.mbox @@ -0,0 +1,108 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26788: dmaengine: fsl-qdma: init irq after reg initialization +Message-Id: <2024040400-CVE-2024-26788-1f84@gregkh> +Content-Length: 3622 +Lines: 91 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3714; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=1wir85CKj42NU8Om0+gJQ5y53lRBWrb0pX2uscN5m6Y=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8ySka1g78Z9RsQx8s6I0R57nxfPqeakfvkGzhX6eYH + FQz/nl1xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwERqSxjmB394xLM0zEalNEZY + Ki0w9aZrclIEwzyNI0p77ztPv379geVqpqaABWIS+RMA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dmaengine: fsl-qdma: init irq after reg initialization + +Initialize the qDMA irqs after the registers are configured so that +interrupts that may have been pending from a primary kernel don't get +processed by the irq handler before it is ready to and cause panic with +the following trace: + + Call trace: + fsl_qdma_queue_handler+0xf8/0x3e8 + __handle_irq_event_percpu+0x78/0x2b0 + handle_irq_event_percpu+0x1c/0x68 + handle_irq_event+0x44/0x78 + handle_fasteoi_irq+0xc8/0x178 + generic_handle_irq+0x24/0x38 + __handle_domain_irq+0x90/0x100 + gic_handle_irq+0x5c/0xb8 + el1_irq+0xb8/0x180 + _raw_spin_unlock_irqrestore+0x14/0x40 + __setup_irq+0x4bc/0x798 + request_threaded_irq+0xd8/0x190 + devm_request_threaded_irq+0x74/0xe8 + fsl_qdma_probe+0x4d4/0xca8 + platform_drv_probe+0x50/0xa0 + really_probe+0xe0/0x3f8 + driver_probe_device+0x64/0x130 + device_driver_attach+0x6c/0x78 + __driver_attach+0xbc/0x158 + bus_for_each_dev+0x5c/0x98 + driver_attach+0x20/0x28 + bus_add_driver+0x158/0x220 + driver_register+0x60/0x110 + __platform_driver_register+0x44/0x50 + fsl_qdma_driver_init+0x18/0x20 + do_one_initcall+0x48/0x258 + kernel_init_freeable+0x1a4/0x23c + kernel_init+0x10/0xf8 + ret_from_fork+0x10/0x18 + +The Linux kernel CVE team has assigned CVE-2024-26788 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.4.271 with commit 3cc5fb824c21 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.10.212 with commit 9579a21e99fe + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.15.151 with commit 4529c084a320 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.1.81 with commit 474d521da890 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.6.21 with commit a69c8bbb9469 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.7.9 with commit 677102a93064 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.8 with commit 87a39071e0b6 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26788 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/dma/fsl-qdma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478 + https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1 + https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b + https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99 + https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d + https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8 + https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd diff --git a/cve/published/2024/CVE-2024-26788.sha1 b/cve/published/2024/CVE-2024-26788.sha1 new file mode 100644 index 00000000..edc86636 --- /dev/null +++ b/cve/published/2024/CVE-2024-26788.sha1 @@ -0,0 +1 @@ +87a39071e0b639f45e05d296cc0538eef44ec0bd diff --git a/cve/reserved/2024/CVE-2024-26789 b/cve/published/2024/CVE-2024-26789 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26789 +++ b/cve/published/2024/CVE-2024-26789 diff --git a/cve/published/2024/CVE-2024-26789.json b/cve/published/2024/CVE-2024-26789.json new file mode 100644 index 00000000..45bd72eb --- /dev/null +++ b/cve/published/2024/CVE-2024-26789.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "fc074e130051", + "lessThan": "034e2d70b5c7", + "status": "affected", + "versionType": "git" + }, + { + "version": "fc074e130051", + "lessThan": "1291d278b557", + "status": "affected", + "versionType": "git" + }, + { + "version": "fc074e130051", + "lessThan": "9e8ecd4908b5", + "status": "affected", + "versionType": "git" + }, + { + "version": "fc074e130051", + "lessThan": "1c0cf6d19690", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a" + }, + { + "url": "https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705" + }, + { + "url": "https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4" + }, + { + "url": "https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4" + } + ], + "title": "crypto: arm64/neonbs - fix out-of-bounds access on short input", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26789", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26789.mbox b/cve/published/2024/CVE-2024-26789.mbox new file mode 100644 index 00000000..3e4d1bc7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26789.mbox @@ -0,0 +1,81 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26789: crypto: arm64/neonbs - fix out-of-bounds access on short input +Message-Id: <2024040400-CVE-2024-26789-1744@gregkh> +Content-Length: 2720 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2785; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Km1wBT0xbZFHbSIfEQ7f72278Ntgv/w0D/n0i7TcFwM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8ySkHF2Tc6VskdzRPU9nmrcztep7+8wvnqbu0aZ3av + yz5i9OKjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIzAaGBQdeM+5rWLSN5fOj + rb+3rbczOdEizccwz3yrVOrb97xTLkW/XHTttUyKw4WVvwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +crypto: arm64/neonbs - fix out-of-bounds access on short input + +The bit-sliced implementation of AES-CTR operates on blocks of 128 +bytes, and will fall back to the plain NEON version for tail blocks or +inputs that are shorter than 128 bytes to begin with. + +It will call straight into the plain NEON asm helper, which performs all +memory accesses in granules of 16 bytes (the size of a NEON register). +For this reason, the associated plain NEON glue code will copy inputs +shorter than 16 bytes into a temporary buffer, given that this is a rare +occurrence and it is not worth the effort to work around this in the asm +code. + +The fallback from the bit-sliced NEON version fails to take this into +account, potentially resulting in out-of-bounds accesses. So clone the +same workaround, and use a temp buffer for short in/outputs. + +The Linux kernel CVE team has assigned CVE-2024-26789 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.18 with commit fc074e130051 and fixed in 6.1.81 with commit 034e2d70b5c7 + Issue introduced in 5.18 with commit fc074e130051 and fixed in 6.6.21 with commit 1291d278b557 + Issue introduced in 5.18 with commit fc074e130051 and fixed in 6.7.9 with commit 9e8ecd4908b5 + Issue introduced in 5.18 with commit fc074e130051 and fixed in 6.8 with commit 1c0cf6d19690 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26789 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/arm64/crypto/aes-neonbs-glue.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a + https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705 + https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4 + https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4 diff --git a/cve/published/2024/CVE-2024-26789.sha1 b/cve/published/2024/CVE-2024-26789.sha1 new file mode 100644 index 00000000..a76b3826 --- /dev/null +++ b/cve/published/2024/CVE-2024-26789.sha1 @@ -0,0 +1 @@ +1c0cf6d19690141002889d72622b90fc01562ce4 diff --git a/cve/reserved/2024/CVE-2024-26790 b/cve/published/2024/CVE-2024-26790 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26790 +++ b/cve/published/2024/CVE-2024-26790 diff --git a/cve/published/2024/CVE-2024-26790.json b/cve/published/2024/CVE-2024-26790.json new file mode 100644 index 00000000..1da57b72 --- /dev/null +++ b/cve/published/2024/CVE-2024-26790.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b092529e0aa0", + "lessThan": "518d78b4fac6", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "bb3a06e9b9a3", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "106c1ac953a6", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "237ecf1afe6c", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "5b696e9c3882", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "ad2f8920c314", + "status": "affected", + "versionType": "git" + }, + { + "version": "b092529e0aa0", + "lessThan": "9d739bccf261", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da" + }, + { + "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580" + }, + { + "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce" + }, + { + "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa" + }, + { + "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367" + }, + { + "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471" + }, + { + "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e" + } + ], + "title": "dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26790", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26790.mbox b/cve/published/2024/CVE-2024-26790.mbox new file mode 100644 index 00000000..f4beb95a --- /dev/null +++ b/cve/published/2024/CVE-2024-26790.mbox @@ -0,0 +1,86 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26790: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read +Message-Id: <2024040400-CVE-2024-26790-a4a4@gregkh> +Content-Length: 2866 +Lines: 69 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2936; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=dwmXzP4caYgPYBOPA/2BocfhtOlgG0wFuiY8aQfN44I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8ySnNLt43VGpK3x/ra3520O0byz/Oh/mfb6b8iLU/q + aF0U0GiI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZycxfDgguPp1aXaTYzSuy0 + 8S8+KvFZQfEeUPTSuoK9oexxHqsNvlxctGVbRULw5XAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read + +There is chip (ls1028a) errata: + +The SoC may hang on 16 byte unaligned read transactions by QDMA. + +Unaligned read transactions initiated by QDMA may stall in the NOC +(Network On-Chip), causing a deadlock condition. Stalled transactions will +trigger completion timeouts in PCIe controller. + +Workaround: +Enable prefetch by setting the source descriptor prefetchable bit +( SD[PF] = 1 ). + +Implement this workaround. + +The Linux kernel CVE team has assigned CVE-2024-26790 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.4.271 with commit 518d78b4fac6 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.10.212 with commit bb3a06e9b9a3 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 5.15.151 with commit 106c1ac953a6 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.1.81 with commit 237ecf1afe6c + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.6.21 with commit 5b696e9c3882 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.7.9 with commit ad2f8920c314 + Issue introduced in 5.1 with commit b092529e0aa0 and fixed in 6.8 with commit 9d739bccf261 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26790 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/dma/fsl-qdma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da + https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580 + https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce + https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa + https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367 + https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471 + https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e diff --git a/cve/published/2024/CVE-2024-26790.sha1 b/cve/published/2024/CVE-2024-26790.sha1 new file mode 100644 index 00000000..713066e6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26790.sha1 @@ -0,0 +1 @@ +9d739bccf261dd93ec1babf82f5c5d71dd4caa3e diff --git a/cve/reserved/2024/CVE-2024-26791 b/cve/published/2024/CVE-2024-26791 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26791 +++ b/cve/published/2024/CVE-2024-26791 diff --git a/cve/published/2024/CVE-2024-26791.json b/cve/published/2024/CVE-2024-26791.json new file mode 100644 index 00000000..3d8083b5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26791.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links)." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "11d7a2e429c0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c6652e20d7d7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2886fe308a83", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ab2d68655d0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f590040ce2b7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b1690ced4d2d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "343eecb4ff49", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9845664b9ee4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.309", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84" + }, + { + "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311" + }, + { + "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d" + }, + { + "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9" + }, + { + "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8" + }, + { + "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1" + }, + { + "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb" + }, + { + "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4" + } + ], + "title": "btrfs: dev-replace: properly validate device names", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26791", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26791.mbox b/cve/published/2024/CVE-2024-26791.mbox new file mode 100644 index 00000000..234e79a2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26791.mbox @@ -0,0 +1,85 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26791: btrfs: dev-replace: properly validate device names +Message-Id: <2024040400-CVE-2024-26791-1002@gregkh> +Content-Length: 2642 +Lines: 68 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2711; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+4xOjUXXc2eOjqqsimmurEDFLF37mMgUEfMMGJszQ1Y=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yam/HP/fqzNP+rPFZWLSv0XMlWdXeM9KvNqS1bk5O + rjcJIW5I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbyVJJhvmPXwY0yK1qYQhZG + bzyQVjJLWek+H8P8+i4XGdPp4a+z7G2eCIu3X56iJ2AJAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: dev-replace: properly validate device names + +There's a syzbot report that device name buffers passed to device +replace are not properly checked for string termination which could lead +to a read out of bounds in getname_kernel(). + +Add a helper that validates both source and target device name buffers. +For devid as the source initialize the buffer to empty string in case +something tries to read it later. + +This was originally analyzed and fixed in a different way by Edward Adam +Davis (see links). + +The Linux kernel CVE team has assigned CVE-2024-26791 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.309 with commit 11d7a2e429c0 + Fixed in 5.4.271 with commit c6652e20d7d7 + Fixed in 5.10.212 with commit 2886fe308a83 + Fixed in 5.15.151 with commit ab2d68655d0f + Fixed in 6.1.81 with commit f590040ce2b7 + Fixed in 6.6.21 with commit b1690ced4d2d + Fixed in 6.7.9 with commit 343eecb4ff49 + Fixed in 6.8 with commit 9845664b9ee4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26791 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/dev-replace.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84 + https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311 + https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d + https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9 + https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8 + https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1 + https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb + https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 diff --git a/cve/published/2024/CVE-2024-26791.sha1 b/cve/published/2024/CVE-2024-26791.sha1 new file mode 100644 index 00000000..2196e20d --- /dev/null +++ b/cve/published/2024/CVE-2024-26791.sha1 @@ -0,0 +1 @@ +9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 diff --git a/cve/reserved/2024/CVE-2024-26792 b/cve/published/2024/CVE-2024-26792 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26792 +++ b/cve/published/2024/CVE-2024-26792 diff --git a/cve/published/2024/CVE-2024-26792.json b/cve/published/2024/CVE-2024-26792.json new file mode 100644 index 00000000..f2132d4d --- /dev/null +++ b/cve/published/2024/CVE-2024-26792.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot->anon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot->anon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot->anon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n <TASK>\n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n </TASK>\n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "66b317a2fc45", + "lessThan": "c34adc20b91a", + "status": "affected", + "versionType": "git" + }, + { + "version": "833775656d44", + "lessThan": "eb3441093aad", + "status": "affected", + "versionType": "git" + }, + { + "version": "5a172344bfda", + "lessThan": "c8ab7521665b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.79", + "lessThan": "6.1.81", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThan": "6.6.21", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThan": "6.7.9", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f" + }, + { + "url": "https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701" + }, + { + "url": "https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9" + } + ], + "title": "btrfs: fix double free of anonymous device after snapshot creation failure", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26792", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26792.mbox b/cve/published/2024/CVE-2024-26792.mbox new file mode 100644 index 00000000..64c99c87 --- /dev/null +++ b/cve/published/2024/CVE-2024-26792.mbox @@ -0,0 +1,153 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26792: btrfs: fix double free of anonymous device after snapshot creation failure +Message-Id: <2024040401-CVE-2024-26792-6048@gregkh> +Content-Length: 6178 +Lines: 136 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6315; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Lqd/U8KSLBufoiUkBlMV2+1N9u6kbbTELuRTgfj4fHI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yamrY9dertpzQ0rt0vfVN0IkuE7FZ30/9P08r8Oh7 + zdKSvQ7OmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiT8QZFhytTfwrHXFI+Sef + 7qWghxLNxsKH6hgW3Cjp7tcJi5kmydYVfkNijbzVRHFVAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: fix double free of anonymous device after snapshot creation failure + +When creating a snapshot we may do a double free of an anonymous device +in case there's an error committing the transaction. The second free may +result in freeing an anonymous device number that was allocated by some +other subsystem in the kernel or another btrfs filesystem. + +The steps that lead to this: + +1) At ioctl.c:create_snapshot() we allocate an anonymous device number + and assign it to pending_snapshot->anon_dev; + +2) Then we call btrfs_commit_transaction() and end up at + transaction.c:create_pending_snapshot(); + +3) There we call btrfs_get_new_fs_root() and pass it the anonymous device + number stored in pending_snapshot->anon_dev; + +4) btrfs_get_new_fs_root() frees that anonymous device number because + btrfs_lookup_fs_root() returned a root - someone else did a lookup + of the new root already, which could some task doing backref walking; + +5) After that some error happens in the transaction commit path, and at + ioctl.c:create_snapshot() we jump to the 'fail' label, and after + that we free again the same anonymous device number, which in the + meanwhile may have been reallocated somewhere else, because + pending_snapshot->anon_dev still has the same value as in step 1. + +Recently syzbot ran into this and reported the following trace: + + ------------[ cut here ]------------ + ida_free called for id=51 which is not allocated. + WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 + Modules linked in: + CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 + RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 + Code: 10 42 80 3c 28 (...) + RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 + RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 + RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 + RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 + R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 + R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 + FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 + Call Trace: + <TASK> + btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 + create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 + create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 + btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 + create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 + btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 + btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 + __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 + btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 + btrfs_ioctl+0xa74/0xd40 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:871 [inline] + __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7fca3e67dda9 + Code: 28 00 00 00 (...) + RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 + RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 + RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 + </TASK> + +Where we get an explicit message where we attempt to free an anonymous +device number that is not currently allocated. It happens in a different +code path from the example below, at btrfs_get_root_ref(), so this change +may not fix the case triggered by syzbot. + +To fix at least the code path from the example above, change +btrfs_get_root_ref() and its callers to receive a dev_t pointer argument +for the anonymous device number, so that in case it frees the number, it +also resets it to 0, so that up in the call chain we don't attempt to do +the double free. + +The Linux kernel CVE team has assigned CVE-2024-26792 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1.79 with commit 66b317a2fc45 and fixed in 6.1.81 with commit c34adc20b91a + Issue introduced in 6.6.18 with commit 833775656d44 and fixed in 6.6.21 with commit eb3441093aad + Issue introduced in 6.7.6 with commit 5a172344bfda and fixed in 6.7.9 with commit c8ab7521665b + Issue introduced in 5.10.210 with commit 3f5d47eb163b + Issue introduced in 5.15.149 with commit e31546b0f34a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26792 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/disk-io.c + fs/btrfs/disk-io.h + fs/btrfs/ioctl.c + fs/btrfs/transaction.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f + https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701 + https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9 + https://git.kernel.org/stable/c/e2b54eaf28df0c978626c9736b94f003b523b451 diff --git a/cve/published/2024/CVE-2024-26792.sha1 b/cve/published/2024/CVE-2024-26792.sha1 new file mode 100644 index 00000000..1ea2e1f1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26792.sha1 @@ -0,0 +1 @@ +e2b54eaf28df0c978626c9736b94f003b523b451 diff --git a/cve/reserved/2024/CVE-2024-26793 b/cve/published/2024/CVE-2024-26793 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26793 +++ b/cve/published/2024/CVE-2024-26793 diff --git a/cve/published/2024/CVE-2024-26793.json b/cve/published/2024/CVE-2024-26793.json new file mode 100644 index 00000000..96ceba0e --- /dev/null +++ b/cve/published/2024/CVE-2024-26793.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "459aa660eb1d", + "lessThan": "01129059d514", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "ec92aa2cab6f", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "e668b92a3a01", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "9376d059a705", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "abd32d7f5c02", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "93dd420bc415", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "5366969a19a8", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "616d82c3cfa2", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.309", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb" + }, + { + "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6" + }, + { + "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69" + }, + { + "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16" + }, + { + "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627" + }, + { + "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e" + }, + { + "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8" + }, + { + "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e" + } + ], + "title": "gtp: fix use-after-free and null-ptr-deref in gtp_newlink()", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26793", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26793.mbox b/cve/published/2024/CVE-2024-26793.mbox new file mode 100644 index 00000000..44b5e2e1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26793.mbox @@ -0,0 +1,170 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26793: gtp: fix use-after-free and null-ptr-deref in gtp_newlink() +Message-Id: <2024040401-CVE-2024-26793-2beb@gregkh> +Content-Length: 9031 +Lines: 153 +X-Developer-Signature: v=1; a=openpgp-sha256; l=9185; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Ngbu3oE3li2G2co2Y/eFoVhf+Q3w8eXThyk5HYI3qbs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yann9v6uDdzx+8DN7R2tj593btqulH66O7n1idI0o + 8mHP1k/7ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJzPrIMFf8RkdjnIqIrOqG + NbdrKyI1radUPGOYXx56a2VP7voZAZJTjaSXHTu2LvLOTgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +gtp: fix use-after-free and null-ptr-deref in gtp_newlink() + +The gtp_link_ops operations structure for the subsystem must be +registered after registering the gtp_net_ops pernet operations structure. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +[ 1010.702740] gtp: GTP module unloaded +[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI +[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 +[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 +[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 +[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 +[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 +[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 +[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 +[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 +[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 +[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 +[ 1010.715968] PKRU: 55555554 +[ 1010.715972] Call Trace: +[ 1010.715985] ? __die_body.cold+0x1a/0x1f +[ 1010.715995] ? die_addr+0x43/0x70 +[ 1010.716002] ? exc_general_protection+0x199/0x2f0 +[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30 +[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp] +[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp] +[ 1010.716042] __rtnl_newlink+0x1063/0x1700 +[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0 +[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0 +[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0 +[ 1010.716076] ? __kernel_text_address+0x56/0xa0 +[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0 +[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30 +[ 1010.716098] ? arch_stack_walk+0x9e/0xf0 +[ 1010.716106] ? stack_trace_save+0x91/0xd0 +[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170 +[ 1010.716121] ? __lock_acquire+0x15c5/0x5380 +[ 1010.716139] ? mark_held_locks+0x9e/0xe0 +[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0 +[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700 +[ 1010.716160] rtnl_newlink+0x69/0xa0 +[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50 +[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716179] ? lock_acquire+0x1fe/0x560 +[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50 +[ 1010.716196] netlink_rcv_skb+0x14d/0x440 +[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0 +[ 1010.716208] ? netlink_ack+0xab0/0xab0 +[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50 +[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50 +[ 1010.716226] ? __virt_addr_valid+0x30b/0x590 +[ 1010.716233] netlink_unicast+0x54b/0x800 +[ 1010.716240] ? netlink_attachskb+0x870/0x870 +[ 1010.716248] ? __check_object_size+0x2de/0x3b0 +[ 1010.716254] netlink_sendmsg+0x938/0xe40 +[ 1010.716261] ? netlink_unicast+0x800/0x800 +[ 1010.716269] ? __import_iovec+0x292/0x510 +[ 1010.716276] ? netlink_unicast+0x800/0x800 +[ 1010.716284] __sock_sendmsg+0x159/0x190 +[ 1010.716290] ____sys_sendmsg+0x712/0x880 +[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0 +[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270 +[ 1010.716309] ? lock_acquire+0x1fe/0x560 +[ 1010.716315] ? drain_array_locked+0x90/0x90 +[ 1010.716324] ___sys_sendmsg+0xf8/0x170 +[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170 +[ 1010.716337] ? lockdep_init_map_type+0x2c7/0x860 +[ 1010.716343] ? lockdep_hardirqs_on_prepare+0x430/0x430 +[ 1010.716350] ? debug_mutex_init+0x33/0x70 +[ 1010.716360] ? percpu_counter_add_batch+0x8b/0x140 +[ 1010.716367] ? lock_acquire+0x1fe/0x560 +[ 1010.716373] ? find_held_lock+0x2c/0x110 +[ 1010.716384] ? __fd_install+0x1b6/0x6f0 +[ 1010.716389] ? lock_downgrade+0x810/0x810 +[ 1010.716396] ? __fget_light+0x222/0x290 +[ 1010.716403] __sys_sendmsg+0xea/0x1b0 +[ 1010.716409] ? __sys_sendmsg_sock+0x40/0x40 +[ 1010.716419] ? lockdep_hardirqs_on_prepare+0x2b3/0x430 +[ 1010.716425] ? syscall_enter_from_user_mode+0x1d/0x60 +[ 1010.716432] do_syscall_64+0x30/0x40 +[ 1010.716438] entry_SYSCALL_64_after_hwframe+0x62/0xc7 +[ 1010.716444] RIP: 0033:0x7fd1508cbd49 +[ 1010.716452] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48 +[ 1010.716456] RSP: 002b:00007fff18872348 EFLAGS: 00000202 ORIG_RAX: 000000000000002e +[ 1010.716463] RAX: ffffffffffffffda RBX: 000055f72bf0eac0 RCX: 00007fd1508cbd49 +[ 1010.716468] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 +[ 1010.716473] RBP: 00007fff18872360 R08: 00007fff18872360 R09: 00007fff18872360 +[ 1010.716478] R10: 00007fff18872360 R11: 0000000000000202 R12: 000055f72bf0e1b0 +[ 1010.716482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 1010.716491] Modules linked in: gtp(+) udp_tunnel ib_core uinput af_packet rfkill qrtr joydev hid_generic usbhid hid kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm snd_hda_codec_generic ledtrig_audio irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_intel nls_utf8 snd_intel_dspcfg nls_cp866 psmouse aesni_intel vfat crypto_simd fat cryptd glue_helper snd_hda_codec pcspkr snd_hda_core i2c_i801 snd_hwdep i2c_smbus xhci_pci snd_pcm lpc_ich xhci_pci_renesas xhci_hcd qemu_fw_cfg tiny_power_button button sch_fq_codel vboxvideo drm_vram_helper drm_ttm_helper ttm vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore msr fuse efi_pstore dm_mod ip_tables x_tables autofs4 virtio_gpu virtio_dma_buf drm_kms_helper cec rc_core drm virtio_rng virtio_scsi rng_core virtio_balloon virtio_blk virtio_net virtio_console net_failover failover ahci libahci libata evdev scsi_mod input_leds serio_raw virtio_pci intel_agp +[ 1010.716674] virtio_ring intel_gtt virtio [last unloaded: gtp] +[ 1010.716693] ---[ end trace 04990a4ce61e174b ]--- + +The Linux kernel CVE team has assigned CVE-2024-26793 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 4.19.309 with commit 01129059d514 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.4.271 with commit ec92aa2cab6f + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.10.212 with commit e668b92a3a01 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.15.151 with commit 9376d059a705 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.1.81 with commit abd32d7f5c02 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.6.21 with commit 93dd420bc415 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.7.9 with commit 5366969a19a8 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.8 with commit 616d82c3cfa2 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26793 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/gtp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb + https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6 + https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69 + https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16 + https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627 + https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e + https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8 + https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e diff --git a/cve/published/2024/CVE-2024-26793.sha1 b/cve/published/2024/CVE-2024-26793.sha1 new file mode 100644 index 00000000..7c1dbdc8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26793.sha1 @@ -0,0 +1 @@ +616d82c3cfa2a2146dd7e3ae47bda7e877ee549e diff --git a/cve/reserved/2024/CVE-2024-26794 b/cve/published/2024/CVE-2024-26794 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26794 +++ b/cve/published/2024/CVE-2024-26794 diff --git a/cve/published/2024/CVE-2024-26794.json b/cve/published/2024/CVE-2024-26794.json new file mode 100644 index 00000000..f03f468b --- /dev/null +++ b/cve/published/2024/CVE-2024-26794.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between ordered extent completion and fiemap\n\nFor fiemap we recently stopped locking the target extent range for the\nwhole duration of the fiemap call, in order to avoid a deadlock in a\nscenario where the fiemap buffer happens to be a memory mapped range of\nthe same file. This use case is very unlikely to be useful in practice but\nit may be triggered by fuzz testing (syzbot, etc).\n\nHowever by not locking the target extent range for the whole duration of\nthe fiemap call we can race with an ordered extent. This happens like\nthis:\n\n1) The fiemap task finishes processing a file extent item that covers\n the file range [512K, 1M[, and that file extent item is the last item\n in the leaf currently being processed;\n\n2) And ordered extent for the file range [768K, 2M[, in COW mode,\n completes (btrfs_finish_one_ordered()) and the file extent item\n covering the range [512K, 1M[ is trimmed to cover the range\n [512K, 768K[ and then a new file extent item for the range [768K, 2M[\n is inserted in the inode's subvolume tree;\n\n3) The fiemap task calls fiemap_next_leaf_item(), which then calls\n btrfs_next_leaf() to find the next leaf / item. This finds that the\n the next key following the one we previously processed (its type is\n BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding\n to the new file extent item inserted by the ordered extent, which has\n a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;\n\n4) Later the fiemap code ends up at emit_fiemap_extent() and triggers\n the warning:\n\n if (cache->offset + cache->len > offset) {\n WARN_ON(1);\n return -EINVAL;\n }\n\n Since we get 1M > 768K, because the previously emitted entry for the\n old extent covering the file range [512K, 1M[ ends at an offset that\n is greater than the new extent's start offset (768K). This makes fiemap\n fail with -EINVAL besides triggering the warning that produces a stack\n trace like the following:\n\n [1621.677651] ------------[ cut here ]------------\n [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.677899] Modules linked in: btrfs blake2b_generic (...)\n [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1\n [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678033] Code: 2b 4c 89 63 (...)\n [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206\n [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000\n [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90\n [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000\n [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000\n [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850\n [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000\n [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0\n [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [1621.678056] Call Trace:\n [1621.678074] <TASK>\n [1621.678076] ? __warn+0x80/0x130\n [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678159] ? report_bug+0x1f4/0x200\n [1621.678164] ? handle_bug+0x42/0x70\n [1621.678167] ? exc_invalid_op+0x14/0x70\n [1621.678170] ? asm_exc_invalid_op+0x16/0x20\n [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs]\n [1621.678253] extent_fiemap+0x766\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ded566b4637f", + "lessThan": "d43f8e58f10a", + "status": "affected", + "versionType": "git" + }, + { + "version": "89bca7fe6382", + "lessThan": "31d07a757c6d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.24", + "lessThan": "6.6.21", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.7.12", + "lessThan": "6.7.9", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d43f8e58f10a44df8c08e7f7076f3288352cd168" + }, + { + "url": "https://git.kernel.org/stable/c/31d07a757c6d3430e03cc22799921569999b9a12" + } + ], + "title": "btrfs: fix race between ordered extent completion and fiemap", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26794", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26794.mbox b/cve/published/2024/CVE-2024-26794.mbox new file mode 100644 index 00000000..ffd178ee --- /dev/null +++ b/cve/published/2024/CVE-2024-26794.mbox @@ -0,0 +1,178 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26794: btrfs: fix race between ordered extent completion and fiemap +Message-Id: <2024040401-CVE-2024-26794-3890@gregkh> +Content-Length: 7935 +Lines: 161 +X-Developer-Signature: v=1; a=openpgp-sha256; l=8097; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=LGzyKk+ZmG82MoqcAESZ0iHfUD2TFbkEXbfDdtUhAuE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yamrlT9Pi+E5f+mMmsQO5TOqzst8YsKFd0oahv+Mu + 56lfO1NRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyEj4FhrmTOzkW3Q9VOdf2y + D27kEmzWFNZ7yzC/7qeZvIyH8w2OfTn5i+xVt074zv8PAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: fix race between ordered extent completion and fiemap + +For fiemap we recently stopped locking the target extent range for the +whole duration of the fiemap call, in order to avoid a deadlock in a +scenario where the fiemap buffer happens to be a memory mapped range of +the same file. This use case is very unlikely to be useful in practice but +it may be triggered by fuzz testing (syzbot, etc). + +However by not locking the target extent range for the whole duration of +the fiemap call we can race with an ordered extent. This happens like +this: + +1) The fiemap task finishes processing a file extent item that covers + the file range [512K, 1M[, and that file extent item is the last item + in the leaf currently being processed; + +2) And ordered extent for the file range [768K, 2M[, in COW mode, + completes (btrfs_finish_one_ordered()) and the file extent item + covering the range [512K, 1M[ is trimmed to cover the range + [512K, 768K[ and then a new file extent item for the range [768K, 2M[ + is inserted in the inode's subvolume tree; + +3) The fiemap task calls fiemap_next_leaf_item(), which then calls + btrfs_next_leaf() to find the next leaf / item. This finds that the + the next key following the one we previously processed (its type is + BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding + to the new file extent item inserted by the ordered extent, which has + a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K; + +4) Later the fiemap code ends up at emit_fiemap_extent() and triggers + the warning: + + if (cache->offset + cache->len > offset) { + WARN_ON(1); + return -EINVAL; + } + + Since we get 1M > 768K, because the previously emitted entry for the + old extent covering the file range [512K, 1M[ ends at an offset that + is greater than the new extent's start offset (768K). This makes fiemap + fail with -EINVAL besides triggering the warning that produces a stack + trace like the following: + + [1621.677651] ------------[ cut here ]------------ + [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs] + [1621.677899] Modules linked in: btrfs blake2b_generic (...) + [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1 + [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs] + [1621.678033] Code: 2b 4c 89 63 (...) + [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206 + [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000 + [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90 + [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000 + [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000 + [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850 + [1621.678044] FS: 00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000 + [1621.678046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0 + [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [1621.678056] Call Trace: + [1621.678074] <TASK> + [1621.678076] ? __warn+0x80/0x130 + [1621.678082] ? emit_fiemap_extent+0x84/0x90 [btrfs] + [1621.678159] ? report_bug+0x1f4/0x200 + [1621.678164] ? handle_bug+0x42/0x70 + [1621.678167] ? exc_invalid_op+0x14/0x70 + [1621.678170] ? asm_exc_invalid_op+0x16/0x20 + [1621.678178] ? emit_fiemap_extent+0x84/0x90 [btrfs] + [1621.678253] extent_fiemap+0x766/0xa30 [btrfs] + [1621.678339] btrfs_fiemap+0x45/0x80 [btrfs] + [1621.678420] do_vfs_ioctl+0x1e4/0x870 + [1621.678431] __x64_sys_ioctl+0x6a/0xc0 + [1621.678434] do_syscall_64+0x52/0x120 + [1621.678445] entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +There's also another case where before calling btrfs_next_leaf() we are +processing a hole or a prealloc extent and we had several delalloc ranges +within that hole or prealloc extent. In that case if the ordered extents +complete before we find the next key, we may end up finding an extent item +with an offset smaller than (or equals to) the offset in cache->offset. + +So fix this by changing emit_fiemap_extent() to address these three +scenarios like this: + +1) For the first case, steps listed above, adjust the length of the + previously cached extent so that it does not overlap with the current + extent, emit the previous one and cache the current file extent item; + +2) For the second case where he had a hole or prealloc extent with + multiple delalloc ranges inside the hole or prealloc extent's range, + and the current file extent item has an offset that matches the offset + in the fiemap cache, just discard what we have in the fiemap cache and + assign the current file extent item to the cache, since it's more up + to date; + +3) For the third case where he had a hole or prealloc extent with + multiple delalloc ranges inside the hole or prealloc extent's range + and the offset of the file extent item we just found is smaller than + what we have in the cache, just skip the current file extent item + if its range end at or behind the cached extent's end, because we may + have emitted (to the fiemap user space buffer) delalloc ranges that + overlap with the current file extent item's range. If the file extent + item's range goes beyond the end offset of the cached extent, just + emit the cached extent and cache a subrange of the file extent item, + that goes from the end offset of the cached extent to the end offset + of the file extent item. + +Dealing with those cases in those ways makes everything consistent by +reflecting the current state of file extent items in the btree and +without emitting extents that have overlapping ranges (which would be +confusing and violating expectations). + +This issue could be triggered often with test case generic/561, and was +also hit and reported by Wang Yugui. + +The Linux kernel CVE team has assigned CVE-2024-26794 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6.24 with commit ded566b4637f and fixed in 6.6.21 with commit d43f8e58f10a + Issue introduced in 6.7.12 with commit 89bca7fe6382 and fixed in 6.7.9 with commit 31d07a757c6d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26794 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/extent_io.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d43f8e58f10a44df8c08e7f7076f3288352cd168 + https://git.kernel.org/stable/c/31d07a757c6d3430e03cc22799921569999b9a12 + https://git.kernel.org/stable/c/a1a4a9ca77f143c00fce69c1239887ff8b813bec diff --git a/cve/published/2024/CVE-2024-26794.sha1 b/cve/published/2024/CVE-2024-26794.sha1 new file mode 100644 index 00000000..54cc6f65 --- /dev/null +++ b/cve/published/2024/CVE-2024-26794.sha1 @@ -0,0 +1 @@ +a1a4a9ca77f143c00fce69c1239887ff8b813bec diff --git a/cve/reserved/2024/CVE-2024-26795 b/cve/published/2024/CVE-2024-26795 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26795 +++ b/cve/published/2024/CVE-2024-26795 diff --git a/cve/published/2024/CVE-2024-26795.json b/cve/published/2024/CVE-2024-26795.json new file mode 100644 index 00000000..0b833003 --- /dev/null +++ b/cve/published/2024/CVE-2024-26795.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap’s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d95f1a542c3d", + "lessThan": "8af1c121b010", + "status": "affected", + "versionType": "git" + }, + { + "version": "d95f1a542c3d", + "lessThan": "5941a90c55d3", + "status": "affected", + "versionType": "git" + }, + { + "version": "d95f1a542c3d", + "lessThan": "8310080799b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "d95f1a542c3d", + "lessThan": "a278d5c60f21", + "status": "affected", + "versionType": "git" + }, + { + "version": "d95f1a542c3d", + "lessThan": "2a1728c15ec4", + "status": "affected", + "versionType": "git" + }, + { + "version": "d95f1a542c3d", + "lessThan": "a11dd49dcb93", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd" + }, + { + "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef" + }, + { + "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af" + }, + { + "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e" + }, + { + "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe" + }, + { + "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9" + } + ], + "title": "riscv: Sparse-Memory/vmemmap out-of-bounds fix", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26795", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26795.mbox b/cve/published/2024/CVE-2024-26795.mbox new file mode 100644 index 00000000..a1ff60a7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26795.mbox @@ -0,0 +1,79 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26795: riscv: Sparse-Memory/vmemmap out-of-bounds fix +Message-Id: <2024040402-CVE-2024-26795-404a@gregkh> +Content-Length: 2648 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2711; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cWZAndt04/v923QVQ2KzXqd0UMm8ceZlT5LejrMlNfM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yWkXL+3xim5/2DiDU2qd6rQQtZVPxQ66rHrVdozfq + D9uvmNBRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzktSfDPNXd9Xp+X3SfORic + /nfsTm1tOUvGE4b5wV8NxYs/+Bu/lfKQW2QjMTPKb3kNAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +riscv: Sparse-Memory/vmemmap out-of-bounds fix + +Offset vmemmap so that the first page of vmemmap will be mapped +to the first page of physical memory in order to ensure that +vmemmap’s bounds will be respected during +pfn_to_page()/page_to_pfn() operations. +The conversion macros will produce correct SV39/48/57 addresses +for every possible/valid DRAM_BASE inside the physical memory limits. + +v2:Address Alex's comments + +The Linux kernel CVE team has assigned CVE-2024-26795 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 5.10.212 with commit 8af1c121b010 + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 5.15.151 with commit 5941a90c55d3 + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 6.1.81 with commit 8310080799b4 + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 6.6.21 with commit a278d5c60f21 + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 6.7.9 with commit 2a1728c15ec4 + Issue introduced in 5.4 with commit d95f1a542c3d and fixed in 6.8 with commit a11dd49dcb93 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26795 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/riscv/include/asm/pgtable.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd + https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef + https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af + https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e + https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe + https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9 diff --git a/cve/published/2024/CVE-2024-26795.sha1 b/cve/published/2024/CVE-2024-26795.sha1 new file mode 100644 index 00000000..7f4b5593 --- /dev/null +++ b/cve/published/2024/CVE-2024-26795.sha1 @@ -0,0 +1 @@ +a11dd49dcb9376776193e15641f84fcc1e5980c9 diff --git a/cve/reserved/2024/CVE-2024-26796 b/cve/published/2024/CVE-2024-26796 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26796 +++ b/cve/published/2024/CVE-2024-26796 diff --git a/cve/published/2024/CVE-2024-26796.json b/cve/published/2024/CVE-2024-26796.json new file mode 100644 index 00000000..d82d8db1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26796.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: ctr_get_width function for legacy is not defined\n\nWith parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n\nlinux kernel crashes when you try perf record:\n\n$ perf record ls\n[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 46.750199] Oops [#1]\n[ 46.750342] Modules linked in:\n[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2\n[ 46.750906] Hardware name: riscv-virtio,qemu (DT)\n[ 46.751184] epc : 0x0\n[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e\n[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0\n[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0\n[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930\n[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000\n[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004\n[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2\n[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000\n[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078\n[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001\n[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff\n[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30\n[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c\n[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec.\n[ 46.754939] ---[ end trace 0000000000000000 ]---\n[ 46.755131] note: perf-exec[107] exited with irqs disabled\n[ 46.755546] note: perf-exec[107] exited with preempt_count 4\n\nThis happens because in the legacy case the ctr_get_width function was not\ndefined, but it is used in arch_perf_update_userpage.\n\nAlso remove extra check in riscv_pmu_ctr_get_width_mask" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "cc4c07c89aad", + "lessThan": "e0d17ee872cf", + "status": "affected", + "versionType": "git" + }, + { + "version": "cc4c07c89aad", + "lessThan": "e4f50e85de5a", + "status": "affected", + "versionType": "git" + }, + { + "version": "cc4c07c89aad", + "lessThan": "682dc133f83e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e0d17ee872cf8d0f51cc561329b8e1a0aa792bbb" + }, + { + "url": "https://git.kernel.org/stable/c/e4f50e85de5a6b21dfdc0d7ca435eba4f62935c3" + }, + { + "url": "https://git.kernel.org/stable/c/682dc133f83e0194796e6ea72eb642df1c03dfbe" + } + ], + "title": "drivers: perf: ctr_get_width function for legacy is not defined", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26796", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26796.mbox b/cve/published/2024/CVE-2024-26796.mbox new file mode 100644 index 00000000..fe0176f9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26796.mbox @@ -0,0 +1,98 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26796: drivers: perf: ctr_get_width function for legacy is not defined +Message-Id: <2024040402-CVE-2024-26796-85c5@gregkh> +Content-Length: 3656 +Lines: 81 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3738; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=S5KtueptK5Jh8AmsMSjj3OoDcVEPVWMHdwXhqpguxMg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yWlKB1ta225XZcVKMua4p6w4dvo57wKPV+JF3/T2r + /2498bjjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIppUMC6aKv/+8SGZWX/b0 + rPd317pPmab2noFhftGJF/ble4NWy8/pTPoTw201Z1VOEwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drivers: perf: ctr_get_width function for legacy is not defined + +With parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n +linux kernel crashes when you try perf record: + +$ perf record ls +[ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 46.750199] Oops [#1] +[ 46.750342] Modules linked in: +[ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2 +[ 46.750906] Hardware name: riscv-virtio,qemu (DT) +[ 46.751184] epc : 0x0 +[ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e +[ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0 +[ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0 +[ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930 +[ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000 +[ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004 +[ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2 +[ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000 +[ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078 +[ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001 +[ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff +[ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30 +[ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c +[ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec. +[ 46.754939] ---[ end trace 0000000000000000 ]--- +[ 46.755131] note: perf-exec[107] exited with irqs disabled +[ 46.755546] note: perf-exec[107] exited with preempt_count 4 + +This happens because in the legacy case the ctr_get_width function was not +defined, but it is used in arch_perf_update_userpage. + +Also remove extra check in riscv_pmu_ctr_get_width_mask + +The Linux kernel CVE team has assigned CVE-2024-26796 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit cc4c07c89aad and fixed in 6.6.21 with commit e0d17ee872cf + Issue introduced in 6.6 with commit cc4c07c89aad and fixed in 6.7.9 with commit e4f50e85de5a + Issue introduced in 6.6 with commit cc4c07c89aad and fixed in 6.8 with commit 682dc133f83e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26796 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/perf/riscv_pmu.c + drivers/perf/riscv_pmu_legacy.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e0d17ee872cf8d0f51cc561329b8e1a0aa792bbb + https://git.kernel.org/stable/c/e4f50e85de5a6b21dfdc0d7ca435eba4f62935c3 + https://git.kernel.org/stable/c/682dc133f83e0194796e6ea72eb642df1c03dfbe diff --git a/cve/published/2024/CVE-2024-26796.sha1 b/cve/published/2024/CVE-2024-26796.sha1 new file mode 100644 index 00000000..6f13e0f0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26796.sha1 @@ -0,0 +1 @@ +682dc133f83e0194796e6ea72eb642df1c03dfbe diff --git a/cve/reserved/2024/CVE-2024-26797 b/cve/published/2024/CVE-2024-26797 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26797 +++ b/cve/published/2024/CVE-2024-26797 diff --git a/cve/published/2024/CVE-2024-26797.json b/cve/published/2024/CVE-2024-26797.json new file mode 100644 index 00000000..e16b9eea --- /dev/null +++ b/cve/published/2024/CVE-2024-26797.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent potential buffer overflow in map_hw_resources\n\nAdds a check in the map_hw_resources function to prevent a potential\nbuffer overflow. The function was accessing arrays using an index that\ncould potentially be greater than the size of the arrays, leading to a\nbuffer overflow.\n\nAdds a check to ensure that the index is within the bounds of the\narrays. If the index is out of bounds, an error message is printed and\nbreak it will continue execution with just ignoring extra data early to\nprevent the buffer overflow.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7966f319c66d", + "lessThan": "50a6302cf881", + "status": "affected", + "versionType": "git" + }, + { + "version": "7966f319c66d", + "lessThan": "0f8ca019544a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d" + }, + { + "url": "https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4" + } + ], + "title": "drm/amd/display: Prevent potential buffer overflow in map_hw_resources", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26797", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26797.mbox b/cve/published/2024/CVE-2024-26797.mbox new file mode 100644 index 00000000..f9cb7dc2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26797.mbox @@ -0,0 +1,76 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26797: drm/amd/display: Prevent potential buffer overflow in map_hw_resources +Message-Id: <2024040402-CVE-2024-26797-704f@gregkh> +Content-Length: 2482 +Lines: 59 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2542; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jwVp4H/TpJl4M3/0wEZ3XWWFjbHEU0+pSA2k0UVCRUg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yWnFUzOtjaes4Pu0mWsVQ1bOCe45NXYmi0qNIu3id + 4QcNhXoiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgInsms8wP/VG9a/1ZkuVHfiy + hL5ZfFx6wGbHZIY5PMrXbZcemqHZ0Vw4I+/14mcduw2DAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/display: Prevent potential buffer overflow in map_hw_resources + +Adds a check in the map_hw_resources function to prevent a potential +buffer overflow. The function was accessing arrays using an index that +could potentially be greater than the size of the arrays, leading to a +buffer overflow. + +Adds a check to ensure that the index is within the bounds of the +arrays. If the index is out of bounds, an error message is printed and +break it will continue execution with just ignoring extra data early to +prevent the buffer overflow. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7 +drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7 + +The Linux kernel CVE team has assigned CVE-2024-26797 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 7966f319c66d and fixed in 6.7.9 with commit 50a6302cf881 + Issue introduced in 6.7 with commit 7966f319c66d and fixed in 6.8 with commit 0f8ca019544a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26797 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d + https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4 diff --git a/cve/published/2024/CVE-2024-26797.sha1 b/cve/published/2024/CVE-2024-26797.sha1 new file mode 100644 index 00000000..2ff472cd --- /dev/null +++ b/cve/published/2024/CVE-2024-26797.sha1 @@ -0,0 +1 @@ +0f8ca019544a252d1afb468ce840c6dcbac73af4 diff --git a/cve/reserved/2024/CVE-2024-26798 b/cve/published/2024/CVE-2024-26798 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26798 +++ b/cve/published/2024/CVE-2024-26798 diff --git a/cve/published/2024/CVE-2024-26798.json b/cve/published/2024/CVE-2024-26798.json new file mode 100644 index 00000000..558582ec --- /dev/null +++ b/cve/published/2024/CVE-2024-26798.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n <TASK>\n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ebd6f886aa24", + "lessThan": "20a4b5214f7b", + "status": "affected", + "versionType": "git" + }, + { + "version": "a5a923038d70", + "lessThan": "2f91a96b892f", + "status": "affected", + "versionType": "git" + }, + { + "version": "a5a923038d70", + "lessThan": "73a6bd68a134", + "status": "affected", + "versionType": "git" + }, + { + "version": "a5a923038d70", + "lessThan": "a2c881413dcc", + "status": "affected", + "versionType": "git" + }, + { + "version": "a5a923038d70", + "lessThan": "00d6a284fcf3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d" + }, + { + "url": "https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b" + }, + { + "url": "https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520" + }, + { + "url": "https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8" + }, + { + "url": "https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f" + } + ], + "title": "fbcon: always restore the old font data in fbcon_do_set_font()", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26798", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26798.mbox b/cve/published/2024/CVE-2024-26798.mbox new file mode 100644 index 00000000..f680a9a6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26798.mbox @@ -0,0 +1,104 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26798: fbcon: always restore the old font data in fbcon_do_set_font() +Message-Id: <2024040402-CVE-2024-26798-191e@gregkh> +Content-Length: 3877 +Lines: 87 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3965; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=aESZUt8C+dxFXEIJ5H2vJVcIZQ3MBt6zidFlrySaKsM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yWmK/0O4vXdsy2XwX9Nk8aL/Wc7MkwX94RWWxRdzU + uU26a/uiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgInclGGYH/8nReyD37ENYtXe + sQJTX7asPpMRzTBXfEfjEcPVi29sDdp9wH6SSs7/9bY6AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fbcon: always restore the old font data in fbcon_do_set_font() + +Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when +vc_resize() failed) started restoring old font data upon failure (of +vc_resize()). But it performs so only for user fonts. It means that the +"system"/internal fonts are not restored at all. So in result, the very +first call to fbcon_do_set_font() performs no restore at all upon +failing vc_resize(). + +This can be reproduced by Syzkaller to crash the system on the next +invocation of font_get(). It's rather hard to hit the allocation failure +in vc_resize() on the first font_set(), but not impossible. Esp. if +fault injection is used to aid the execution/failure. It was +demonstrated by Sirius: + BUG: unable to handle page fault for address: fffffffffffffff8 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 + Call Trace: + <TASK> + con_font_get drivers/tty/vt/vt.c:4558 [inline] + con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 + vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] + vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 + tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 + vfs_ioctl fs/ioctl.c:51 [inline] + ... + +So restore the font data in any case, not only for user fonts. Note the +later 'if' is now protected by 'old_userfont' and not 'old_data' as the +latter is always set now. (And it is supposed to be non-NULL. Otherwise +we would see the bug above again.) + +The Linux kernel CVE team has assigned CVE-2024-26798 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15.64 with commit ebd6f886aa24 and fixed in 5.15.151 with commit 20a4b5214f7b + Issue introduced in 6.0 with commit a5a923038d70 and fixed in 6.1.81 with commit 2f91a96b892f + Issue introduced in 6.0 with commit a5a923038d70 and fixed in 6.6.21 with commit 73a6bd68a134 + Issue introduced in 6.0 with commit a5a923038d70 and fixed in 6.7.9 with commit a2c881413dcc + Issue introduced in 6.0 with commit a5a923038d70 and fixed in 6.8 with commit 00d6a284fcf3 + Issue introduced in 5.19.6 with commit f08ccb792d3e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26798 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/video/fbdev/core/fbcon.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d + https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b + https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520 + https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8 + https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f diff --git a/cve/published/2024/CVE-2024-26798.sha1 b/cve/published/2024/CVE-2024-26798.sha1 new file mode 100644 index 00000000..079e42bb --- /dev/null +++ b/cve/published/2024/CVE-2024-26798.sha1 @@ -0,0 +1 @@ +00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f diff --git a/cve/reserved/2024/CVE-2024-26799 b/cve/published/2024/CVE-2024-26799 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26799 +++ b/cve/published/2024/CVE-2024-26799 diff --git a/cve/published/2024/CVE-2024-26799.json b/cve/published/2024/CVE-2024-26799.json new file mode 100644 index 00000000..2d6aa59c --- /dev/null +++ b/cve/published/2024/CVE-2024-26799.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b81af585ea54", + "lessThan": "99adc8b4d2f3", + "status": "affected", + "versionType": "git" + }, + { + "version": "b81af585ea54", + "lessThan": "d5a7726e6ea6", + "status": "affected", + "versionType": "git" + }, + { + "version": "b81af585ea54", + "lessThan": "1382d8b55129", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf" + }, + { + "url": "https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b" + }, + { + "url": "https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee" + } + ], + "title": "ASoC: qcom: Fix uninitialized pointer dmactl", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26799", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26799.mbox b/cve/published/2024/CVE-2024-26799.mbox new file mode 100644 index 00000000..851ea7c6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26799.mbox @@ -0,0 +1,76 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26799: ASoC: qcom: Fix uninitialized pointer dmactl +Message-Id: <2024040403-CVE-2024-26799-1fd6@gregkh> +Content-Length: 2413 +Lines: 59 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2473; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=FZMYjs9tacFiyoTKeIBu0Nrhs5z23uqIlgA8FHbmNzw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yem2HSdlfEKEjb7dzhQpjlF+XbV4pVF/rXzU2uc/p + ja8NqjtiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgImYPWSY7/DH6/kLmQnaR6bP + 97qTV6Aad/igH8McDk0HG45Fz1N6o73e1O5gFUwMdi8HAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ASoC: qcom: Fix uninitialized pointer dmactl + +In the case where __lpass_get_dmactl_handle is called and the driver +id dai_id is invalid the pointer dmactl is not being assigned a value, +and dmactl contains a garbage value since it has not been initialized +and so the null check may not work. Fix this to initialize dmactl to +NULL. One could argue that modern compilers will set this to zero, but +it is useful to keep this initialized as per the same way in functions +__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params. + +Cleans up clang scan build warning: +sound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition +evaluates to a garbage value [core.uninitialized.Branch] + +The Linux kernel CVE team has assigned CVE-2024-26799 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.18 with commit b81af585ea54 and fixed in 6.6.21 with commit 99adc8b4d2f3 + Issue introduced in 5.18 with commit b81af585ea54 and fixed in 6.7.9 with commit d5a7726e6ea6 + Issue introduced in 5.18 with commit b81af585ea54 and fixed in 6.8 with commit 1382d8b55129 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26799 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + sound/soc/qcom/lpass-cdc-dma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf + https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b + https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee diff --git a/cve/published/2024/CVE-2024-26799.sha1 b/cve/published/2024/CVE-2024-26799.sha1 new file mode 100644 index 00000000..b0a68662 --- /dev/null +++ b/cve/published/2024/CVE-2024-26799.sha1 @@ -0,0 +1 @@ +1382d8b55129875b2e07c4d2a7ebc790183769ee diff --git a/cve/reserved/2024/CVE-2024-26800 b/cve/published/2024/CVE-2024-26800 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26800 +++ b/cve/published/2024/CVE-2024-26800 diff --git a/cve/published/2024/CVE-2024-26800.json b/cve/published/2024/CVE-2024-26800.json new file mode 100644 index 00000000..4271a0a5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26800.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "13eca403876b", + "lessThan": "81be85353b0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "ab6397f072e5", + "lessThan": "1ac9fb84bc7e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.18", + "lessThan": "6.6.21", + "status": "affected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThan": "6.7.9", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" + }, + { + "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" + } + ], + "title": "tls: fix use-after-free on failed backlog decryption", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26800", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26800.mbox b/cve/published/2024/CVE-2024-26800.mbox new file mode 100644 index 00000000..92fb2396 --- /dev/null +++ b/cve/published/2024/CVE-2024-26800.mbox @@ -0,0 +1,77 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26800: tls: fix use-after-free on failed backlog decryption +Message-Id: <2024040403-CVE-2024-26800-0bf4@gregkh> +Content-Length: 2433 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2494; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=bguObsACvehO5nd0z5BaqcaYKrLBh2lhWpMlrdQFZdo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yek+/1WtxfyNpxxTNGF8y7/wxlTBU8v3X3JZeejds + RPuQnZbO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiatkMC2a4TNjeFZ6dnDLN + fMWS6avTWm8+DmZYcFlp2Rmb4z7/je4Fd93JFw78o3lRHQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tls: fix use-after-free on failed backlog decryption + +When the decrypt request goes to the backlog and crypto_aead_decrypt +returns -EBUSY, tls_do_decryption will wait until all async +decryptions have completed. If one of them fails, tls_do_decryption +will return -EBADMSG and tls_decrypt_sg jumps to the error path, +releasing all the pages. But the pages have been passed to the async +callback, and have already been released by tls_decrypt_done. + +The only true async case is when crypto_aead_decrypt returns + -EINPROGRESS. With -EBUSY, we already waited so we can tell +tls_sw_recvmsg that the data is available for immediate copy, but we +need to notify tls_decrypt_sg (via the new ->async_done flag) that the +memory has already been released. + +The Linux kernel CVE team has assigned CVE-2024-26800 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6.18 with commit 13eca403876b and fixed in 6.6.21 with commit 81be85353b0f + Issue introduced in 6.7.6 with commit ab6397f072e5 and fixed in 6.7.9 with commit 1ac9fb84bc7e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26800 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/tls/tls_sw.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89 + https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe + https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1 + https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0 diff --git a/cve/published/2024/CVE-2024-26800.sha1 b/cve/published/2024/CVE-2024-26800.sha1 new file mode 100644 index 00000000..13c1145e --- /dev/null +++ b/cve/published/2024/CVE-2024-26800.sha1 @@ -0,0 +1 @@ +13114dc5543069f7b97991e3b79937b6da05f5b0 diff --git a/cve/reserved/2024/CVE-2024-26801 b/cve/published/2024/CVE-2024-26801 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26801 +++ b/cve/published/2024/CVE-2024-26801 diff --git a/cve/published/2024/CVE-2024-26801.json b/cve/published/2024/CVE-2024-26801.json new file mode 100644 index 00000000..d2e01561 --- /dev/null +++ b/cve/published/2024/CVE-2024-26801.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>]\n hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c7741d16a57c", + "lessThan": "e0b278650f07", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "98fb98fd37e4", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "6dd0a9dfa99f", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "da4569d450b1", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "45085686b955", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "2ab9a19d896f", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "dd594cdc24f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7741d16a57c", + "lessThan": "2449007d3f73", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.309", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03" + }, + { + "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090" + }, + { + "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2" + }, + { + "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14" + }, + { + "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1" + }, + { + "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b" + }, + { + "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1" + }, + { + "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592" + } + ], + "title": "Bluetooth: Avoid potential use-after-free in hci_error_reset", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26801", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26801.mbox b/cve/published/2024/CVE-2024-26801.mbox new file mode 100644 index 00000000..99e6b031 --- /dev/null +++ b/cve/published/2024/CVE-2024-26801.mbox @@ -0,0 +1,94 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26801: Bluetooth: Avoid potential use-after-free in hci_error_reset +Message-Id: <2024040403-CVE-2024-26801-da9f@gregkh> +Content-Length: 3411 +Lines: 77 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3489; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=D9DYizEZDAB89opehCc0TA6iDuxCLKUYdvC/tbKMim4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yemsHde2VfhP72pU+19fen3aVJVLkrnLGnaW1Mf7X + 7pg8u1ARywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkwgGGOVxJ28W2Clmpi2/3 + /nfhqtVUtp5wIYZ5mhHBRX4XFc15IyvObt8uUb+wUUgfAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +Bluetooth: Avoid potential use-after-free in hci_error_reset + +While handling the HCI_EV_HARDWARE_ERROR event, if the underlying +BT controller is not responding, the GPIO reset mechanism would +free the hci_dev and lead to a use-after-free in hci_error_reset. + +Here's the call trace observed on a ChromeOS device with Intel AX201: + queue_work_on+0x3e/0x6c + __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] + ? init_wait_entry+0x31/0x31 + __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] + hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] + process_one_work+0x1d8/0x33f + worker_thread+0x21b/0x373 + kthread+0x13a/0x152 + ? pr_cont_work+0x54/0x54 + ? kthread_blkcg+0x31/0x31 + ret_from_fork+0x1f/0x30 + +This patch holds the reference count on the hci_dev while processing +a HCI_EV_HARDWARE_ERROR event to avoid potential crash. + +The Linux kernel CVE team has assigned CVE-2024-26801 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 4.19.309 with commit e0b278650f07 + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 5.4.271 with commit 98fb98fd37e4 + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 5.10.212 with commit 6dd0a9dfa99f + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 5.15.151 with commit da4569d450b1 + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 6.1.81 with commit 45085686b955 + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 6.6.21 with commit 2ab9a19d896f + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 6.7.9 with commit dd594cdc24f2 + Issue introduced in 4.0 with commit c7741d16a57c and fixed in 6.8 with commit 2449007d3f73 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26801 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/bluetooth/hci_core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03 + https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090 + https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2 + https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14 + https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1 + https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b + https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1 + https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592 diff --git a/cve/published/2024/CVE-2024-26801.sha1 b/cve/published/2024/CVE-2024-26801.sha1 new file mode 100644 index 00000000..9ea0e6b4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26801.sha1 @@ -0,0 +1 @@ +2449007d3f73b2842c9734f45f0aadb522daf592 diff --git a/cve/reserved/2024/CVE-2024-26802 b/cve/published/2024/CVE-2024-26802 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26802 +++ b/cve/published/2024/CVE-2024-26802 diff --git a/cve/published/2024/CVE-2024-26802.json b/cve/published/2024/CVE-2024-26802.json new file mode 100644 index 00000000..68e5d04b --- /dev/null +++ b/cve/published/2024/CVE-2024-26802.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won't work and TX queue will eventually timeout,\ncausing 'Reset adapter' error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n <Skipping backtrace for watchdog timeout>\n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5a5586112b92", + "lessThan": "8e9955630117", + "status": "affected", + "versionType": "git" + }, + { + "version": "5a5586112b92", + "lessThan": "17ccd9798fe0", + "status": "affected", + "versionType": "git" + }, + { + "version": "5a5586112b92", + "lessThan": "699b103e48ce", + "status": "affected", + "versionType": "git" + }, + { + "version": "5a5586112b92", + "lessThan": "f72cf22dccc9", + "status": "affected", + "versionType": "git" + }, + { + "version": "5a5586112b92", + "lessThan": "8af411bbba1f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462" + }, + { + "url": "https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6" + }, + { + "url": "https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3" + }, + { + "url": "https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8" + }, + { + "url": "https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f" + } + ], + "title": "stmmac: Clear variable when destroying workqueue", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26802", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26802.mbox b/cve/published/2024/CVE-2024-26802.mbox new file mode 100644 index 00000000..1d85d00a --- /dev/null +++ b/cve/published/2024/CVE-2024-26802.mbox @@ -0,0 +1,114 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26802: stmmac: Clear variable when destroying workqueue +Message-Id: <2024040403-CVE-2024-26802-b3da@gregkh> +Content-Length: 4309 +Lines: 97 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4407; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+e2vG4tCQaHsVCk2vFM+wuQLOCDfcUuBuhVC9FGmQ6w=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yemyAiVOTm4X86zk5j6aWdc9pVnRPab1YJdD8a2ql + n2M3qYdsSwMgkwMsmKKLF+28RzdX3FI0cvQ9jTMHFYmkCEMXJwCMJHrbQwLdnRVy9Q570nMmeC8 + 31DttxbrqrL3DAsmPku3qt2p8F1vp7Tr8YJXFte81LUB +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +stmmac: Clear variable when destroying workqueue + +Currently when suspending driver and stopping workqueue it is checked whether +workqueue is not NULL and if so, it is destroyed. +Function destroy_workqueue() does drain queue and does clear variable, but +it does not set workqueue variable to NULL. This can cause kernel/module +panic if code attempts to clear workqueue that was not initialized. + +This scenario is possible when resuming suspended driver in stmmac_resume(), +because there is no handling for failed stmmac_hw_setup(), +which can fail and return if DMA engine has failed to initialize, +and workqueue is initialized after DMA engine. +Should DMA engine fail to initialize, resume will proceed normally, +but interface won't work and TX queue will eventually timeout, +causing 'Reset adapter' error. +This then does destroy workqueue during reset process. +And since workqueue is initialized after DMA engine and can be skipped, +it will cause kernel/module panic. + +To secure against this possible crash, set workqueue variable to NULL when +destroying workqueue. + +Log/backtrace from crash goes as follows: +[88.031977]------------[ cut here ]------------ +[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out +[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 + <Skipping backtrace for watchdog timeout> +[88.032251]---[ end trace e70de432e4d5c2c0 ]--- +[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. +[88.036359]------------[ cut here ]------------ +[88.036519]Call trace: +[88.036523] flush_workqueue+0x3e4/0x430 +[88.036528] drain_workqueue+0xc4/0x160 +[88.036533] destroy_workqueue+0x40/0x270 +[88.036537] stmmac_fpe_stop_wq+0x4c/0x70 +[88.036541] stmmac_release+0x278/0x280 +[88.036546] __dev_close_many+0xcc/0x158 +[88.036551] dev_close_many+0xbc/0x190 +[88.036555] dev_close.part.0+0x70/0xc0 +[88.036560] dev_close+0x24/0x30 +[88.036564] stmmac_service_task+0x110/0x140 +[88.036569] process_one_work+0x1d8/0x4a0 +[88.036573] worker_thread+0x54/0x408 +[88.036578] kthread+0x164/0x170 +[88.036583] ret_from_fork+0x10/0x20 +[88.036588]---[ end trace e70de432e4d5c2c1 ]--- +[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 + +The Linux kernel CVE team has assigned CVE-2024-26802 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 5a5586112b92 and fixed in 5.15.151 with commit 8e9955630117 + Issue introduced in 5.13 with commit 5a5586112b92 and fixed in 6.1.81 with commit 17ccd9798fe0 + Issue introduced in 5.13 with commit 5a5586112b92 and fixed in 6.6.21 with commit 699b103e48ce + Issue introduced in 5.13 with commit 5a5586112b92 and fixed in 6.7.9 with commit f72cf22dccc9 + Issue introduced in 5.13 with commit 5a5586112b92 and fixed in 6.8 with commit 8af411bbba1f + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26802 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462 + https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6 + https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3 + https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8 + https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f diff --git a/cve/published/2024/CVE-2024-26802.sha1 b/cve/published/2024/CVE-2024-26802.sha1 new file mode 100644 index 00000000..2c3c7a50 --- /dev/null +++ b/cve/published/2024/CVE-2024-26802.sha1 @@ -0,0 +1 @@ +8af411bbba1f457c33734795f024d0ef26d0963f diff --git a/cve/reserved/2024/CVE-2024-26803 b/cve/published/2024/CVE-2024-26803 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26803 +++ b/cve/published/2024/CVE-2024-26803 diff --git a/cve/published/2024/CVE-2024-26803.json b/cve/published/2024/CVE-2024-26803.json new file mode 100644 index 00000000..a101033b --- /dev/null +++ b/cve/published/2024/CVE-2024-26803.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d3256efd8e8b", + "lessThan": "f011c103e654", + "status": "affected", + "versionType": "git" + }, + { + "version": "d3256efd8e8b", + "lessThan": "7985d73961bb", + "status": "affected", + "versionType": "git" + }, + { + "version": "d3256efd8e8b", + "lessThan": "16edf51f33f5", + "status": "affected", + "versionType": "git" + }, + { + "version": "d3256efd8e8b", + "lessThan": "8f7a3894e58e", + "status": "affected", + "versionType": "git" + }, + { + "version": "d3256efd8e8b", + "lessThan": "fe9f801355f0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c" + }, + { + "url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325" + }, + { + "url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664" + }, + { + "url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941" + }, + { + "url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736" + } + ], + "title": "net: veth: clear GRO when clearing XDP even when down", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26803", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26803.mbox b/cve/published/2024/CVE-2024-26803.mbox new file mode 100644 index 00000000..0f0d95f6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26803.mbox @@ -0,0 +1,94 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26803: net: veth: clear GRO when clearing XDP even when down +Message-Id: <2024040404-CVE-2024-26803-9985@gregkh> +Content-Length: 3431 +Lines: 77 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3509; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=JXwakAyiTFMaNr+UeZsnsWgaWaR2kWUCvV8xqrweIPs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yRmnxVclGrf9frn2yas7oTu5rzOum6sX93+OmYmWt + 1LGr0vTOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi78oY5orOk7Oa3LnQ/6Bi + nV4BZ+t879lX9BjmGVeubr+ULzFxS5/GbLH34tFb8tmTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: veth: clear GRO when clearing XDP even when down + +veth sets NETIF_F_GRO automatically when XDP is enabled, +because both features use the same NAPI machinery. + +The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which +is called both on ndo_stop and when XDP is turned off. +To avoid the flag from being cleared when the device is brought +down, the clearing is skipped when IFF_UP is not set. +Bringing the device down should indeed not modify its features. + +Unfortunately, this means that clearing is also skipped when +XDP is disabled _while_ the device is down. And there's nothing +on the open path to bring the device features back into sync. +IOW if user enables XDP, disables it and then brings the device +up we'll end up with a stray GRO flag set but no NAPI instances. + +We don't depend on the GRO flag on the datapath, so the datapath +won't crash. We will crash (or hang), however, next time features +are sync'ed (either by user via ethtool or peer changing its config). +The GRO flag will go away, and veth will try to disable the NAPIs. +But the open path never created them since XDP was off, the GRO flag +was a stray. If NAPI was initialized before we'll hang in napi_disable(). +If it never was we'll crash trying to stop uninitialized hrtimer. + +Move the GRO flag updates to the XDP enable / disable paths, +instead of mixing them with the ndo_open / ndo_close paths. + +The Linux kernel CVE team has assigned CVE-2024-26803 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit d3256efd8e8b and fixed in 5.15.151 with commit f011c103e654 + Issue introduced in 5.13 with commit d3256efd8e8b and fixed in 6.1.81 with commit 7985d73961bb + Issue introduced in 5.13 with commit d3256efd8e8b and fixed in 6.6.21 with commit 16edf51f33f5 + Issue introduced in 5.13 with commit d3256efd8e8b and fixed in 6.7.9 with commit 8f7a3894e58e + Issue introduced in 5.13 with commit d3256efd8e8b and fixed in 6.8 with commit fe9f801355f0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26803 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/veth.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c + https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325 + https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664 + https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941 + https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736 diff --git a/cve/published/2024/CVE-2024-26803.sha1 b/cve/published/2024/CVE-2024-26803.sha1 new file mode 100644 index 00000000..c30be189 --- /dev/null +++ b/cve/published/2024/CVE-2024-26803.sha1 @@ -0,0 +1 @@ +fe9f801355f0b47668419f30f1fac1cf4539e736 diff --git a/cve/reserved/2024/CVE-2024-26804 b/cve/published/2024/CVE-2024-26804 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26804 +++ b/cve/published/2024/CVE-2024-26804 diff --git a/cve/published/2024/CVE-2024-26804.json b/cve/published/2024/CVE-2024-26804.json new file mode 100644 index 00000000..beeac08b --- /dev/null +++ b/cve/published/2024/CVE-2024-26804.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb->data gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\n\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "243aad830e8a", + "lessThan": "f81e94d2dcd2", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "2e95350fe9db", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "afec0c5cd2ed", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "ab63de24ebea", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "a0a1db40b23e", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "049d7989c67e", + "status": "affected", + "versionType": "git" + }, + { + "version": "243aad830e8a", + "lessThan": "5ae1e9922bbd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.34", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.34", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383" + }, + { + "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee" + }, + { + "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282" + }, + { + "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96" + }, + { + "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9" + }, + { + "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b" + }, + { + "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f" + } + ], + "title": "net: ip_tunnel: prevent perpetual headroom growth", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26804", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26804.mbox b/cve/published/2024/CVE-2024-26804.mbox new file mode 100644 index 00000000..894e067e --- /dev/null +++ b/cve/published/2024/CVE-2024-26804.mbox @@ -0,0 +1,166 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26804: net: ip_tunnel: prevent perpetual headroom growth +Message-Id: <2024040404-CVE-2024-26804-a6ff@gregkh> +Content-Length: 6284 +Lines: 149 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6434; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jYEJeL13Osg+Lg6nOaBIrk0GRvFHtl+sxbdjSwOvdwM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yRlcF+2urO/Mfakz+3dF9WE+G5+i8oerpzEv2yJZL + Cm2++u0jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZgIUP08uxPblfnesWwVCtTI + mzTNdFF349ZnDPOzDNcZHKuZ0zohiUPx7HPFXUnym0oA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: ip_tunnel: prevent perpetual headroom growth + +syzkaller triggered following kasan splat: +BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 +Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 +[..] + kasan_report+0xda/0x110 mm/kasan/report.c:588 + __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 + skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] + ___skb_get_hash net/core/flow_dissector.c:1791 [inline] + __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 + skb_get_hash include/linux/skbuff.h:1556 [inline] + ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 + ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 + __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 + ... + ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 + ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 + .. + iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 + ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 + ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 + ... + +The splat occurs because skb->data points past skb->head allocated area. +This is because neigh layer does: + __skb_pull(skb, skb_network_offset(skb)); + +... but skb_network_offset() returns a negative offset and __skb_pull() +arg is unsigned. IOW, we skb->data gets "adjusted" by a huge value. + +The negative value is returned because skb->head and skb->data distance is +more than 64k and skb->network_header (u16) has wrapped around. + +The bug is in the ip_tunnel infrastructure, which can cause +dev->needed_headroom to increment ad infinitum. + +The syzkaller reproducer consists of packets getting routed via a gre +tunnel, and route of gre encapsulated packets pointing at another (ipip) +tunnel. The ipip encapsulation finds gre0 as next output device. + +This results in the following pattern: + +1). First packet is to be sent out via gre0. +Route lookup found an output device, ipip0. + +2). +ip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future +output device, rt.dev->needed_headroom (ipip0). + +3). +ip output / start_xmit moves skb on to ipip0. which runs the same +code path again (xmit recursion). + +4). +Routing step for the post-gre0-encap packet finds gre0 as output device +to use for ipip0 encapsulated packet. + +tunl0->needed_headroom is then incremented based on the (already bumped) +gre0 device headroom. + +This repeats for every future packet: + +gre0->needed_headroom gets inflated because previous packets' ipip0 step +incremented rt->dev (gre0) headroom, and ipip0 incremented because gre0 +needed_headroom was increased. + +For each subsequent packet, gre/ipip0->needed_headroom grows until +post-expand-head reallocations result in a skb->head/data distance of +more than 64k. + +Once that happens, skb->network_header (u16) wraps around when +pskb_expand_head tries to make sure that skb_network_offset() is unchanged +after the headroom expansion/reallocation. + +After this skb_network_offset(skb) returns a different (and negative) +result post headroom expansion. + +The next trip to neigh layer (or anything else that would __skb_pull the +network header) makes skb->data point to a memory location outside +skb->head area. + +v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to +prevent perpetual increase instead of dropping the headroom increment +completely. + +The Linux kernel CVE team has assigned CVE-2024-26804 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 5.4.271 with commit f81e94d2dcd2 + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 5.10.212 with commit 2e95350fe9db + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 5.15.151 with commit afec0c5cd2ed + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 6.1.81 with commit ab63de24ebea + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 6.6.21 with commit a0a1db40b23e + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 6.7.9 with commit 049d7989c67e + Issue introduced in 2.6.34 with commit 243aad830e8a and fixed in 6.8 with commit 5ae1e9922bbd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26804 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv4/ip_tunnel.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383 + https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee + https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282 + https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96 + https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9 + https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b + https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f diff --git a/cve/published/2024/CVE-2024-26804.sha1 b/cve/published/2024/CVE-2024-26804.sha1 new file mode 100644 index 00000000..d4336fa5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26804.sha1 @@ -0,0 +1 @@ +5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f diff --git a/cve/reserved/2024/CVE-2024-26805 b/cve/published/2024/CVE-2024-26805 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26805 +++ b/cve/published/2024/CVE-2024-26805 diff --git a/cve/published/2024/CVE-2024-26805.json b/cve/published/2024/CVE-2024-26805.json new file mode 100644 index 00000000..4941e60a --- /dev/null +++ b/cve/published/2024/CVE-2024-26805.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1853c9496460", + "lessThan": "ec343a55b687", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "9ae51361da43", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "f19d1f98e60e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "c71ed29d15b1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "0b27bf4c494d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "d3ada42e534a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "59fc3e3d049e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1853c9496460", + "lessThan": "661779e1fcaf", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.309", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.81", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65" + }, + { + "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777" + }, + { + "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77" + }, + { + "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285" + }, + { + "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44" + }, + { + "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736" + }, + { + "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d" + }, + { + "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd" + } + ], + "title": "netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26805", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26805.mbox b/cve/published/2024/CVE-2024-26805.mbox new file mode 100644 index 00000000..4baad93d --- /dev/null +++ b/cve/published/2024/CVE-2024-26805.mbox @@ -0,0 +1,176 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26805: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter +Message-Id: <2024040404-CVE-2024-26805-7016@gregkh> +Content-Length: 7783 +Lines: 159 +X-Developer-Signature: v=1; a=openpgp-sha256; l=7943; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=dXJEor6BFSwBLZTy1Ct9rTbx4Ib0wCZUpoSua5AJt90=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yRmzrjlsyv+YKPFQ67+Zf/B65hnLJt5/eGK3/Yqnm + wXeRBne7IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJMIQzzE9JODr1/LlJRysS + Kg+fvBya0DpXL59hwbl36ieaAuc1BUw78iLYZlt72Ms6ZgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter + +syzbot reported the following uninit-value access issue [1]: + +netlink_to_full_skb() creates a new `skb` and puts the `skb->data` +passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data +size is specified as `len` and passed to skb_put_data(). This `len` +is based on `skb->end` that is not data offset but buffer offset. The +`skb->end` contains data and tailroom. Since the tailroom is not +initialized when the new `skb` created, KMSAN detects uninitialized +memory area when copying the data. + +This patch resolved this issue by correct the len from `skb->end` to +`skb->len`, which is the actual data offset. + +BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] +BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] +BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + copy_to_user_iter lib/iov_iter.c:24 [inline] + iterate_ubuf include/linux/iov_iter.h:29 [inline] + iterate_and_advance2 include/linux/iov_iter.h:245 [inline] + iterate_and_advance include/linux/iov_iter.h:271 [inline] + _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 + copy_to_iter include/linux/uio.h:197 [inline] + simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 + __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 + skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 + skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] + packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg net/socket.c:1066 [inline] + sock_read_iter+0x467/0x580 net/socket.c:1136 + call_read_iter include/linux/fs.h:2014 [inline] + new_sync_read fs/read_write.c:389 [inline] + vfs_read+0x8f6/0xe00 fs/read_write.c:470 + ksys_read+0x20f/0x4c0 fs/read_write.c:613 + __do_sys_read fs/read_write.c:623 [inline] + __se_sys_read fs/read_write.c:621 [inline] + __x64_sys_read+0x93/0xd0 fs/read_write.c:621 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was stored to memory at: + skb_put_data include/linux/skbuff.h:2622 [inline] + netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] + __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] + __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 + netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] + netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + free_pages_prepare mm/page_alloc.c:1087 [inline] + free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 + free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 + release_pages+0x23d3/0x2410 mm/swap.c:1042 + free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 + tlb_batch_pages_flush mm/mmu_gather.c:98 [inline] + tlb_flush_mmu_free mm/mmu_gather.c:293 [inline] + tlb_flush_mmu+0x6f5/0x980 mm/mmu_gather.c:300 + tlb_finish_mmu+0x101/0x260 mm/mmu_gather.c:392 + exit_mmap+0x49e/0xd30 mm/mmap.c:3321 + __mmput+0x13f/0x530 kernel/fork.c:1349 + mmput+0x8a/0xa0 kernel/fork.c:1371 + exit_mm+0x1b8/0x360 kernel/exit.c:567 + do_exit+0xd57/0x4080 kernel/exit.c:858 + do_group_exit+0x2fd/0x390 kernel/exit.c:1021 + __do_sys_exit_group kernel/exit.c:1032 [inline] + __se_sys_exit_group kernel/exit.c:1030 [inline] + __x64_sys_exit_group+0x3c/0x50 kernel/exit.c:1030 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Bytes 3852-3903 of 3904 are uninitialized +Memory access of size 3904 starts at ffff88812ea1e000 +Data copied to user address 0000000020003280 + +CPU: 1 PID: 5043 Comm: syz-executor297 Not tainted 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 + +The Linux kernel CVE team has assigned CVE-2024-26805 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 4.19.309 with commit ec343a55b687 + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 5.4.271 with commit 9ae51361da43 + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 5.10.212 with commit f19d1f98e60e + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 5.15.151 with commit c71ed29d15b1 + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 6.1.81 with commit 0b27bf4c494d + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 6.6.21 with commit d3ada42e534a + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 6.7.9 with commit 59fc3e3d049e + Issue introduced in 4.3 with commit 1853c9496460 and fixed in 6.8 with commit 661779e1fcaf + Issue introduced in 3.12.49 with commit 92994a5f49d0 + Issue introduced in 3.14.54 with commit 85aec6328f33 + Issue introduced in 3.18.23 with commit d38200098e32 + Issue introduced in 4.1.10 with commit 65d48c630ff8 + Issue introduced in 4.2.3 with commit 62f43b58d2b2 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26805 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netlink/af_netlink.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65 + https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777 + https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77 + https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285 + https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44 + https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736 + https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d + https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd diff --git a/cve/published/2024/CVE-2024-26805.sha1 b/cve/published/2024/CVE-2024-26805.sha1 new file mode 100644 index 00000000..0ae14009 --- /dev/null +++ b/cve/published/2024/CVE-2024-26805.sha1 @@ -0,0 +1 @@ +661779e1fcafe1b74b3f3fe8e980c1e207fea1fd diff --git a/cve/reserved/2024/CVE-2024-26806 b/cve/published/2024/CVE-2024-26806 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26806 +++ b/cve/published/2024/CVE-2024-26806 diff --git a/cve/published/2024/CVE-2024-26806.json b/cve/published/2024/CVE-2024-26806.json new file mode 100644 index 00000000..08f7a9f0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26806.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks\n\nThe ->runtime_suspend() and ->runtime_resume() callbacks are not\nexpected to call spi_controller_suspend() and spi_controller_resume().\nRemove calls to those in the cadence-qspi driver.\n\nThose helpers have two roles currently:\n - They stop/start the queue, including dealing with the kworker.\n - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It\n requires acquiring ctlr->bus_lock_mutex.\n\nStep one is irrelevant because cadence-qspi is not queued. Step two\nhowever has two implications:\n - A deadlock occurs, because ->runtime_resume() is called in a context\n where the lock is already taken (in the ->exec_op() callback, where\n the usage count is incremented).\n - It would disallow all operations once the device is auto-suspended.\n\nHere is a brief call tree highlighting the mutex deadlock:\n\nspi_mem_exec_op()\n ...\n spi_mem_access_start()\n mutex_lock(&ctlr->bus_lock_mutex)\n\n cqspi_exec_mem_op()\n pm_runtime_resume_and_get()\n cqspi_resume()\n spi_controller_resume()\n mutex_lock(&ctlr->bus_lock_mutex)\n ...\n\n spi_mem_access_end()\n mutex_unlock(&ctlr->bus_lock_mutex)\n ..." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "0578a6dbfe75", + "lessThan": "041562ebc475", + "status": "affected", + "versionType": "git" + }, + { + "version": "0578a6dbfe75", + "lessThan": "959043afe53a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/041562ebc4759c9932b59a06527f8753b86da365" + }, + { + "url": "https://git.kernel.org/stable/c/959043afe53ae80633e810416cee6076da6e91c6" + } + ], + "title": "spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26806", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26806.mbox b/cve/published/2024/CVE-2024-26806.mbox new file mode 100644 index 00000000..e2c3bfd4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26806.mbox @@ -0,0 +1,96 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26806: spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks +Message-Id: <2024040404-CVE-2024-26806-4644@gregkh> +Content-Length: 2914 +Lines: 79 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2994; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=afuUbOlUbyKUPz8ZwN87dn2WRmHiwHVy94Z/Fp/icU8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yZlffvNv8LwQFv/JrKzy/Ftl2Q8Jai9V+L67mvLvz + v/fZXqwI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACai959hwcSyg8fbri32ljq6 + myXsKKebWR3/IoYF0yxK6taEXZns12N9vl965TSG27LZAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks + +The ->runtime_suspend() and ->runtime_resume() callbacks are not +expected to call spi_controller_suspend() and spi_controller_resume(). +Remove calls to those in the cadence-qspi driver. + +Those helpers have two roles currently: + - They stop/start the queue, including dealing with the kworker. + - They toggle the SPI controller SPI_CONTROLLER_SUSPENDED flag. It + requires acquiring ctlr->bus_lock_mutex. + +Step one is irrelevant because cadence-qspi is not queued. Step two +however has two implications: + - A deadlock occurs, because ->runtime_resume() is called in a context + where the lock is already taken (in the ->exec_op() callback, where + the usage count is incremented). + - It would disallow all operations once the device is auto-suspended. + +Here is a brief call tree highlighting the mutex deadlock: + +spi_mem_exec_op() + ... + spi_mem_access_start() + mutex_lock(&ctlr->bus_lock_mutex) + + cqspi_exec_mem_op() + pm_runtime_resume_and_get() + cqspi_resume() + spi_controller_resume() + mutex_lock(&ctlr->bus_lock_mutex) + ... + + spi_mem_access_end() + mutex_unlock(&ctlr->bus_lock_mutex) + ... + +The Linux kernel CVE team has assigned CVE-2024-26806 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 0578a6dbfe75 and fixed in 6.7.9 with commit 041562ebc475 + Issue introduced in 6.7 with commit 0578a6dbfe75 and fixed in 6.8 with commit 959043afe53a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26806 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/spi/spi-cadence-quadspi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/041562ebc4759c9932b59a06527f8753b86da365 + https://git.kernel.org/stable/c/959043afe53ae80633e810416cee6076da6e91c6 diff --git a/cve/published/2024/CVE-2024-26806.sha1 b/cve/published/2024/CVE-2024-26806.sha1 new file mode 100644 index 00000000..6dfc0243 --- /dev/null +++ b/cve/published/2024/CVE-2024-26806.sha1 @@ -0,0 +1 @@ +959043afe53ae80633e810416cee6076da6e91c6 diff --git a/cve/reserved/2024/CVE-2024-26807 b/cve/published/2024/CVE-2024-26807 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26807 +++ b/cve/published/2024/CVE-2024-26807 diff --git a/cve/published/2024/CVE-2024-26807.json b/cve/published/2024/CVE-2024-26807.json new file mode 100644 index 00000000..da859444 --- /dev/null +++ b/cve/published/2024/CVE-2024-26807.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: fix pointer reference in runtime PM hooks\n\ndev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI\ncontroller. Neither embed the other; this lead to memory corruption.\n\nOn a given platform (Mobileye EyeQ5) the memory corruption is hidden\ninside cqspi->f_pdata. Also, this uninitialised memory is used as a\nmutex (ctlr->bus_lock_mutex) by spi_controller_suspend()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2087e85bb66e", + "lessThan": "03f1573c9587", + "status": "affected", + "versionType": "git" + }, + { + "version": "2087e85bb66e", + "lessThan": "34e1d5c4407c", + "status": "affected", + "versionType": "git" + }, + { + "version": "2087e85bb66e", + "lessThan": "32ce3bb57b6b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.21", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.9", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" + }, + { + "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + }, + { + "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" + } + ], + "title": "spi: cadence-qspi: fix pointer reference in runtime PM hooks", + "x_generator": { + "engine": "bippy-e0c11145c45e" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26807", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26807.mbox b/cve/published/2024/CVE-2024-26807.mbox new file mode 100644 index 00000000..219da3ad --- /dev/null +++ b/cve/published/2024/CVE-2024-26807.mbox @@ -0,0 +1,78 @@ +From bippy-e0c11145c45e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26807: spi: cadence-qspi: fix pointer reference in runtime PM hooks +Message-Id: <2024040405-CVE-2024-26807-c071@gregkh> +Content-Length: 2495 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2557; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=2DMMMtbjS0FVc2zT/W2kLLLXPJwebgYc/XEjaZmtUu0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGl8yZkyV+0Dft1rUGn4x6S4ryg44fK+Tpn4aYdU7jccd + /2q+39PRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExEeCbDgktJbAvsy9qeb3Xf + durakVyFPlXRaIYFc1933ez1smp59MCvzzl0XWM9P2cHAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +spi: cadence-qspi: fix pointer reference in runtime PM hooks + +dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI +controller. Neither embed the other; this lead to memory corruption. + +On a given platform (Mobileye EyeQ5) the memory corruption is hidden +inside cqspi->f_pdata. Also, this uninitialised memory is used as a +mutex (ctlr->bus_lock_mutex) by spi_controller_suspend(). + +The Linux kernel CVE team has assigned CVE-2024-26807 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit 2087e85bb66e and fixed in 6.6.21 with commit 03f1573c9587 + Issue introduced in 6.4 with commit 2087e85bb66e and fixed in 6.7.9 with commit 34e1d5c4407c + Issue introduced in 6.4 with commit 2087e85bb66e and fixed in 6.8 with commit 32ce3bb57b6b + Issue introduced in 4.19.283 with commit e3f9fc9a4f14 + Issue introduced in 5.4.243 with commit 6716203844bc + Issue introduced in 5.10.180 with commit b24f1ecc8fe2 + Issue introduced in 5.15.111 with commit d453f25faf68 + Issue introduced in 6.1.28 with commit 79acf7fb856e + Issue introduced in 6.2.15 with commit 18cb554e9da8 + Issue introduced in 6.3.2 with commit 1368dbc0a432 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26807 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/spi/spi-cadence-quadspi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61 + https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03 + https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc diff --git a/cve/published/2024/CVE-2024-26807.sha1 b/cve/published/2024/CVE-2024-26807.sha1 new file mode 100644 index 00000000..a0ab27a3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26807.sha1 @@ -0,0 +1 @@ +32ce3bb57b6b402de2aec1012511e7ac4e7449dc |