diff options
author | Lee Jones <lee@kernel.org> | 2024-03-26 15:18:19 +0000 |
---|---|---|
committer | Lee Jones <lee@kernel.org> | 2024-03-26 15:18:48 +0000 |
commit | c28b45b0d913d2e5d8b85f1c64b0b707e1cfc9c1 (patch) | |
tree | cbade31ab4eeb634fa97687fef756425e59e01cd | |
parent | 89db1c5bb5607fd4df0d1a89f74d2ba9897977b8 (diff) | |
download | vulns-c28b45b0d913d2e5d8b85f1c64b0b707e1cfc9c1.tar.gz |
published: Create and publish a couple of v6.7.3 annotated reviews
Signed-off-by: Lee Jones <lee@kernel.org>
-rw-r--r-- | cve/published/2024/CVE-2024-26644 (renamed from cve/reserved/2024/CVE-2024-26644) | 0 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26644.json | 138 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26644.mbox | 140 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26644.sha1 | 1 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26645 (renamed from cve/reserved/2024/CVE-2024-26645) | 0 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26645.json | 178 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26645.mbox | 167 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26645.sha1 | 1 |
8 files changed, 625 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26644 b/cve/published/2024/CVE-2024-26644 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26644 +++ b/cve/published/2024/CVE-2024-26644 diff --git a/cve/published/2024/CVE-2024-26644.json b/cve/published/2024/CVE-2024-26644.json new file mode 100644 index 00000000..d7a99883 --- /dev/null +++ b/cve/published/2024/CVE-2024-26644.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't abort filesystem when attempting to snapshot deleted subvolume\n\nIf the source file descriptor to the snapshot ioctl refers to a deleted\nsubvolume, we get the following abort:\n\n BTRFS: Transaction aborted (error -2)\n WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]\n Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c\n CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014\n RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]\n RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027\n RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840\n RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998\n R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe\n R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80\n FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0\n Call Trace:\n <TASK>\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? __warn+0x81/0x130\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? report_bug+0x171/0x1a0\n ? handle_bug+0x3a/0x70\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n ? create_pending_snapshot+0x1040/0x1190 [btrfs]\n create_pending_snapshots+0x92/0xc0 [btrfs]\n btrfs_commit_transaction+0x66b/0xf40 [btrfs]\n btrfs_mksubvol+0x301/0x4d0 [btrfs]\n btrfs_mksnapshot+0x80/0xb0 [btrfs]\n __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]\n btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]\n btrfs_ioctl+0x8a6/0x2650 [btrfs]\n ? kmem_cache_free+0x22/0x340\n ? do_sys_openat2+0x97/0xe0\n __x64_sys_ioctl+0x97/0xd0\n do_syscall_64+0x46/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n RIP: 0033:0x7fe20abe83af\n RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af\n RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58\n </TASK>\n ---[ end trace 0000000000000000 ]---\n BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry\n BTRFS info (device vdc: state EA): forced readonly\n BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.\n BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry\n\nThis happens because create_pending_snapshot() initializes the new root\nitem as a copy of the source root item. This includes the refs field,\nwhich is 0 for a deleted subvolume. The call to btrfs_insert_root()\ntherefore inserts a root with refs == 0. btrfs_get_new_fs_root() then\nfinds the root and returns -ENOENT if refs == 0, which causes\ncreate_pending_snapshot() to abort.\n\nFix it by checking the source root's refs before attempting the\nsnapshot, but after locking subvol_sem to avoid racing with deletion." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "2bdf872bcfe6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0877497dc978", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6e6bca99e8d8", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ec794a752819", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d8680b722f0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7081929ab257", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.210", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.76", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.15", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.3", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464" + }, + { + "url": "https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c" + }, + { + "url": "https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b" + }, + { + "url": "https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256" + }, + { + "url": "https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff" + }, + { + "url": "https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a" + } + ], + "title": "btrfs: don't abort filesystem when attempting to snapshot deleted subvolume", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26644", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26644.mbox b/cve/published/2024/CVE-2024-26644.mbox new file mode 100644 index 00000000..90dba76b --- /dev/null +++ b/cve/published/2024/CVE-2024-26644.mbox @@ -0,0 +1,140 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26644: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume +X-Developer-Signature: v=1; a=openpgp-sha256; l=5463; i=lee@kernel.org; + h=from:subject; bh=JymWCPslXuQRESq/5LoUWlv7CMuPNt2Fle58Sl39eSs=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmAucDPoQ9de2l98T+u+ZpCJyqmorKXp8T+pX9V + I2VrrUV9tqJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZgLnAwAKCRBRr4ovh/x3 + YTA0D/9xsMTDKrK7QbDwPwIFFZ5xTWFLomPK0mP9Qbup/6LAd8mjMekJXlyKzodetyhZ3aPyW4c + 0/nUr1OIGfaFLyCh37SBKYIgZOv2dsh01glSOKvysopSqxEIjC2/hEP4j6uYU31zsCu4/WC09RY + 5CfVh5g9/tIaIg5jdFGJgeBDKDGCwNnKX+yKG2xODi0Vv4VRAx8ZEOu8bvtN258/M6rtm96YcaO + yKi2rcKcVBWZIUuR663BOuVu7kcgskBlr1fhlr39lqxcNgcBOEWUIl/xVGaAOxilXKpX4Xpjvbq + LNuunhYXDVykRnRePZJY9ddXgfNFh4Z1rqS6a2D3c4lpY/iy/zTeNQMk0+WZZHhw1/nRYgzJPtu + p25TJGGl7T8uKeljSSbQi4liNC5Nm1zS4z248TSRNcpN1/o0w+HybDlljBcVhe6MW2MJ006pwp0 + VEofI/C5+iCldeOEGjgKYuu9t3D5mI5l/wT3usO7VQOzL809kWfRUUu9oKNOKfZraItAw/qpwaZ + SJBlipxrjooodmGpXuhwV4fOteiQklYFT2IgUj8u2lNrfsgiV0OoWQJxuhUpwQbO/yFP/0q9/iP + lMBjUws1x0S4IFrWZ506pIYNbz3CZXyfslQ6I1mTmZQUNapqGpzgBtPC0C+lghlmTo+yQZccPbD + GGvWPUcX8aDMS0g== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: don't abort filesystem when attempting to snapshot deleted subvolume + +If the source file descriptor to the snapshot ioctl refers to a deleted +subvolume, we get the following abort: + + BTRFS: Transaction aborted (error -2) + WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs] + Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c + CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 + RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs] + RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282 + RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027 + RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840 + RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998 + R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe + R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80 + FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0 + Call Trace: + <TASK> + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? __warn+0x81/0x130 + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? report_bug+0x171/0x1a0 + ? handle_bug+0x3a/0x70 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + ? create_pending_snapshot+0x1040/0x1190 [btrfs] + create_pending_snapshots+0x92/0xc0 [btrfs] + btrfs_commit_transaction+0x66b/0xf40 [btrfs] + btrfs_mksubvol+0x301/0x4d0 [btrfs] + btrfs_mksnapshot+0x80/0xb0 [btrfs] + __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs] + btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs] + btrfs_ioctl+0x8a6/0x2650 [btrfs] + ? kmem_cache_free+0x22/0x340 + ? do_sys_openat2+0x97/0xe0 + __x64_sys_ioctl+0x97/0xd0 + do_syscall_64+0x46/0xf0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + RIP: 0033:0x7fe20abe83af + RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af + RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58 + </TASK> + ---[ end trace 0000000000000000 ]--- + BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry + BTRFS info (device vdc: state EA): forced readonly + BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction. + BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry + +This happens because create_pending_snapshot() initializes the new root +item as a copy of the source root item. This includes the refs field, +which is 0 for a deleted subvolume. The call to btrfs_insert_root() +therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then +finds the root and returns -ENOENT if refs == 0, which causes +create_pending_snapshot() to abort. + +Fix it by checking the source root's refs before attempting the +snapshot, but after locking subvol_sem to avoid racing with deletion. + +The Linux kernel CVE team has assigned CVE-2024-26644 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.210 with commit 2bdf872bcfe6 + Fixed in 5.15.149 with commit 0877497dc978 + Fixed in 6.1.76 with commit 6e6bca99e8d8 + Fixed in 6.6.15 with commit ec794a752819 + Fixed in 6.7.3 with commit d8680b722f0f + Fixed in 6.8 with commit 7081929ab257 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26644 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/ioctl.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2bdf872bcfe629a6202ffd6641615a8ed00e8464 + https://git.kernel.org/stable/c/0877497dc97834728e1b528ddf1e1c484292c29c + https://git.kernel.org/stable/c/6e6bca99e8d88d989a7cde4c064abea552d5219b + https://git.kernel.org/stable/c/ec794a7528199e1be6d47bec03f4755aa75df256 + https://git.kernel.org/stable/c/d8680b722f0ff6d7a01ddacc1844e0d52354d6ff + https://git.kernel.org/stable/c/7081929ab2572920e94d70be3d332e5c9f97095a diff --git a/cve/published/2024/CVE-2024-26644.sha1 b/cve/published/2024/CVE-2024-26644.sha1 new file mode 100644 index 00000000..e469ba1d --- /dev/null +++ b/cve/published/2024/CVE-2024-26644.sha1 @@ -0,0 +1 @@ +7081929ab2572920e94d70be3d332e5c9f97095a diff --git a/cve/reserved/2024/CVE-2024-26645 b/cve/published/2024/CVE-2024-26645 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26645 +++ b/cve/published/2024/CVE-2024-26645 diff --git a/cve/published/2024/CVE-2024-26645.json b/cve/published/2024/CVE-2024-26645.json new file mode 100644 index 00000000..b393a884 --- /dev/null +++ b/cve/published/2024/CVE-2024-26645.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Ensure visibility when inserting an element into tracing_map\n\nRunning the following two commands in parallel on a multi-processor\nAArch64 machine can sporadically produce an unexpected warning about\nduplicate histogram entries:\n\n $ while true; do\n echo hist:key=id.syscall:val=hitcount > \\\n /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger\n cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist\n sleep 0.001\n done\n $ stress-ng --sysbadaddr $(nproc)\n\nThe warning looks as follows:\n\n[ 2911.172474] ------------[ cut here ]------------\n[ 2911.173111] Duplicates detected: 1\n[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408\n[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E)\n[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1\n[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01\n[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018\n[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408\n[ 2911.185310] sp : ffff8000a1513900\n[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001\n[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008\n[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180\n[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff\n[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8\n[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731\n[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c\n[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8\n[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000\n[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480\n[ 2911.194259] Call trace:\n[ 2911.194626] tracing_map_sort_entries+0x3e0/0x408\n[ 2911.195220] hist_show+0x124/0x800\n[ 2911.195692] seq_read_iter+0x1d4/0x4e8\n[ 2911.196193] seq_read+0xe8/0x138\n[ 2911.196638] vfs_read+0xc8/0x300\n[ 2911.197078] ksys_read+0x70/0x108\n[ 2911.197534] __arm64_sys_read+0x24/0x38\n[ 2911.198046] invoke_syscall+0x78/0x108\n[ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8\n[ 2911.199157] do_el0_svc+0x28/0x40\n[ 2911.199613] el0_svc+0x40/0x178\n[ 2911.200048] el0t_64_sync_handler+0x13c/0x158\n[ 2911.200621] el0t_64_sync+0x1a8/0x1b0\n[ 2911.201115] ---[ end trace 0000000000000000 ]---\n\nThe problem appears to be caused by CPU reordering of writes issued from\n__tracing_map_insert().\n\nThe check for the presence of an element with a given key in this\nfunction is:\n\n val = READ_ONCE(entry->val);\n if (val && keys_match(key, val->key, map->key_size)) ...\n\nThe write of a new entry is:\n\n elt = get_free_elt(map);\n memcpy(elt->key, key, map->key_size);\n entry->val = elt;\n\nThe \"memcpy(elt->key, key, map->key_size);\" and \"entry->val = elt;\"\nstores may become visible in the reversed order on another CPU. This\nsecond CPU might then incorrectly determine that a new key doesn't match\nan already present val->key and subse\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c193707dde77", + "lessThan": "5022b331c041", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "dad9b28f675e", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "ef70dfa0b1e5", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "aef1cb00856c", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "f4f7e696db02", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "a1eebe76e187", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "bf4aeff7da85", + "status": "affected", + "versionType": "git" + }, + { + "version": "c193707dde77", + "lessThan": "2b44760609e9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.307", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.269", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.210", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.76", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.15", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.3", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5022b331c041e8c54b9a6a3251579bd1e8c0fc0b" + }, + { + "url": "https://git.kernel.org/stable/c/dad9b28f675ed99b4dec261db2a397efeb80b74c" + }, + { + "url": "https://git.kernel.org/stable/c/ef70dfa0b1e5084f32635156c9a5c795352ad860" + }, + { + "url": "https://git.kernel.org/stable/c/aef1cb00856ccfd614467cfb50b791278992e177" + }, + { + "url": "https://git.kernel.org/stable/c/f4f7e696db0274ff560482cc52eddbf0551d4b7a" + }, + { + "url": "https://git.kernel.org/stable/c/a1eebe76e187dbe11ca299f8dbb6e45d5b1889e7" + }, + { + "url": "https://git.kernel.org/stable/c/bf4aeff7da85c3becd39fb73bac94122331c30fb" + }, + { + "url": "https://git.kernel.org/stable/c/2b44760609e9eaafc9d234a6883d042fc21132a7" + } + ], + "title": "tracing: Ensure visibility when inserting an element into tracing_map", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26645", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26645.mbox b/cve/published/2024/CVE-2024-26645.mbox new file mode 100644 index 00000000..11bb4a09 --- /dev/null +++ b/cve/published/2024/CVE-2024-26645.mbox @@ -0,0 +1,167 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26645: tracing: Ensure visibility when inserting an element into tracing_map +X-Developer-Signature: v=1; a=openpgp-sha256; l=7520; i=lee@kernel.org; + h=from:subject; bh=a+3dnnizi/bZaanOrjbnycqrAbz2RXZy1SbtMMMTqXY=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmAucDcGzne8u2bXj2ZfeB6e9GO8vL+11EZXFi2 + 8y0zI7byTGJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZgLnAwAKCRBRr4ovh/x3 + YdBaEACEt5i4xuC4gFiWtgi/H9nbG0vtD6jMEGONpqzsdHOEvLaXLzAzgSCveNmBGVGyn3mlBka + xEA7FVXC7yFbbT6jmCzPMLEOw+t9PbTBw2bndkAFOkMENmWFkl43N/x9zO6FBkIF2GsjN33V+ky + 7Cgss2mKW/94bxcmSvhJDv1d3gkzB+OPNEfBWLT9LBnAUs+nTgKvKA44IXYFhTzwD96b6FvKRMg + 5bWkuzClLSSUaNw2TxuDBtkj0IQu1pHhUVQ448og7c9wPrCp2LiMYDtsNH+HayoKlEjyigaNNC0 + 99GZ7iqNbtJw902yhVXy7qsFUIdhtjo3i8qKvekkIWohHXpZ2vpGE9q5lapYbNW7WaNojk3mH8i + 8zUzV85j+z9BJSREsKBxuuj5xsVtC7MPwZxbLWnHsApWmaTZNieT2JcpPDNqrxMP7yjQ3T6gegq + 3QBqxmp9b9lq+1NIHRMeTczohENSDIv1hwFCfxQojscbUeUYfvsbriWtzyCCynUwY95tgqwCJqx + s5r4XzqudxxKB98+Yld3viZN1Z5lXzrjCU01f1MXAgVFcKP0Q7H9ROiLcrueY4EFBjvW//+BE4n + c3uyUsV6cimp0PGH9aVayAxO47X6y6F0EJ/j3tqHAwvxogrJNkStJ/8xAvADn6sMoX+q3w/lXHg + m8k0jaO7CyButqA== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tracing: Ensure visibility when inserting an element into tracing_map + +Running the following two commands in parallel on a multi-processor +AArch64 machine can sporadically produce an unexpected warning about +duplicate histogram entries: + + $ while true; do + echo hist:key=id.syscall:val=hitcount > \ + /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger + cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist + sleep 0.001 + done + $ stress-ng --sysbadaddr $(nproc) + +The warning looks as follows: + +[ 2911.172474] ------------[ cut here ]------------ +[ 2911.173111] Duplicates detected: 1 +[ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408 +[ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E) +[ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1 +[ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01 +[ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018 +[ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408 +[ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408 +[ 2911.185310] sp : ffff8000a1513900 +[ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001 +[ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008 +[ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180 +[ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff +[ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8 +[ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731 +[ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c +[ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8 +[ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000 +[ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480 +[ 2911.194259] Call trace: +[ 2911.194626] tracing_map_sort_entries+0x3e0/0x408 +[ 2911.195220] hist_show+0x124/0x800 +[ 2911.195692] seq_read_iter+0x1d4/0x4e8 +[ 2911.196193] seq_read+0xe8/0x138 +[ 2911.196638] vfs_read+0xc8/0x300 +[ 2911.197078] ksys_read+0x70/0x108 +[ 2911.197534] __arm64_sys_read+0x24/0x38 +[ 2911.198046] invoke_syscall+0x78/0x108 +[ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8 +[ 2911.199157] do_el0_svc+0x28/0x40 +[ 2911.199613] el0_svc+0x40/0x178 +[ 2911.200048] el0t_64_sync_handler+0x13c/0x158 +[ 2911.200621] el0t_64_sync+0x1a8/0x1b0 +[ 2911.201115] ---[ end trace 0000000000000000 ]--- + +The problem appears to be caused by CPU reordering of writes issued from +__tracing_map_insert(). + +The check for the presence of an element with a given key in this +function is: + + val = READ_ONCE(entry->val); + if (val && keys_match(key, val->key, map->key_size)) ... + +The write of a new entry is: + + elt = get_free_elt(map); + memcpy(elt->key, key, map->key_size); + entry->val = elt; + +The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;" +stores may become visible in the reversed order on another CPU. This +second CPU might then incorrectly determine that a new key doesn't match +an already present val->key and subsequently insert a new element, +resulting in a duplicate. + +Fix the problem by adding a write barrier between +"memcpy(elt->key, key, map->key_size);" and "entry->val = elt;", and for +good measure, also use WRITE_ONCE(entry->val, elt) for publishing the +element. The sequence pairs with the mentioned "READ_ONCE(entry->val);" +and the "val->key" check which has an address dependency. + +The barrier is placed on a path executed when adding an element for +a new key. Subsequent updates targeting the same key remain unaffected. + +From the user's perspective, the issue was introduced by commit +c193707dde77 ("tracing: Remove code which merges duplicates"), which +followed commit cbf4100efb8f ("tracing: Add support to detect and avoid +duplicates"). The previous code operated differently; it inherently +expected potential races which result in duplicates but merged them +later when they occurred. + +The Linux kernel CVE team has assigned CVE-2024-26645 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.17 with commit c193707dde77 and fixed in 4.19.307 with commit 5022b331c041 + Issue introduced in 4.17 with commit c193707dde77 and fixed in 5.4.269 with commit dad9b28f675e + Issue introduced in 4.17 with commit c193707dde77 and fixed in 5.10.210 with commit ef70dfa0b1e5 + Issue introduced in 4.17 with commit c193707dde77 and fixed in 5.15.149 with commit aef1cb00856c + Issue introduced in 4.17 with commit c193707dde77 and fixed in 6.1.76 with commit f4f7e696db02 + Issue introduced in 4.17 with commit c193707dde77 and fixed in 6.6.15 with commit a1eebe76e187 + Issue introduced in 4.17 with commit c193707dde77 and fixed in 6.7.3 with commit bf4aeff7da85 + Issue introduced in 4.17 with commit c193707dde77 and fixed in 6.8 with commit 2b44760609e9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26645 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + kernel/trace/tracing_map.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5022b331c041e8c54b9a6a3251579bd1e8c0fc0b + https://git.kernel.org/stable/c/dad9b28f675ed99b4dec261db2a397efeb80b74c + https://git.kernel.org/stable/c/ef70dfa0b1e5084f32635156c9a5c795352ad860 + https://git.kernel.org/stable/c/aef1cb00856ccfd614467cfb50b791278992e177 + https://git.kernel.org/stable/c/f4f7e696db0274ff560482cc52eddbf0551d4b7a + https://git.kernel.org/stable/c/a1eebe76e187dbe11ca299f8dbb6e45d5b1889e7 + https://git.kernel.org/stable/c/bf4aeff7da85c3becd39fb73bac94122331c30fb + https://git.kernel.org/stable/c/2b44760609e9eaafc9d234a6883d042fc21132a7 diff --git a/cve/published/2024/CVE-2024-26645.sha1 b/cve/published/2024/CVE-2024-26645.sha1 new file mode 100644 index 00000000..64f0a11b --- /dev/null +++ b/cve/published/2024/CVE-2024-26645.sha1 @@ -0,0 +1 @@ +2b44760609e9eaafc9d234a6883d042fc21132a7 |