| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26688: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super |
| |
| When configuring a hugetlb filesystem via the fsconfig() syscall, there is |
| a possible NULL dereference in hugetlbfs_fill_super() caused by assigning |
| NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize |
| is non valid. |
| |
| E.g: Taking the following steps: |
| |
| fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC); |
| fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0); |
| fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); |
| |
| Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced |
| with NULL, losing its previous value, and we will print an error: |
| |
| ... |
| ... |
| case Opt_pagesize: |
| ps = memparse(param->string, &rest); |
| ctx->hstate = h; |
| if (!ctx->hstate) { |
| pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); |
| return -EINVAL; |
| } |
| return 0; |
| ... |
| ... |
| |
| This is a problem because later on, we will dereference ctxt->hstate in |
| hugetlbfs_fill_super() |
| |
| ... |
| ... |
| sb->s_blocksize = huge_page_size(ctx->hstate); |
| ... |
| ... |
| |
| Causing below Oops. |
| |
| Fix this by replacing cxt->hstate value only when then pagesize is known |
| to be valid. |
| |
| kernel: hugetlbfs: Unsupported page size 0 MB |
| kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028 |
| kernel: #PF: supervisor read access in kernel mode |
| kernel: #PF: error_code(0x0000) - not-present page |
| kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 |
| kernel: Oops: 0000 [#1] PREEMPT SMP PTI |
| kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f |
| kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 |
| kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 |
| kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 |
| kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 |
| kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 |
| kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 |
| kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 |
| kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 |
| kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 |
| kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 |
| kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 |
| kernel: Call Trace: |
| kernel: <TASK> |
| kernel: ? __die_body+0x1a/0x60 |
| kernel: ? page_fault_oops+0x16f/0x4a0 |
| kernel: ? search_bpf_extables+0x65/0x70 |
| kernel: ? fixup_exception+0x22/0x310 |
| kernel: ? exc_page_fault+0x69/0x150 |
| kernel: ? asm_exc_page_fault+0x22/0x30 |
| kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 |
| kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 |
| kernel: ? hugetlbfs_fill_super+0x28/0x1a0 |
| kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 |
| kernel: vfs_get_super+0x40/0xa0 |
| kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 |
| kernel: vfs_get_tree+0x25/0xd0 |
| kernel: vfs_cmd_create+0x64/0xe0 |
| kernel: __x64_sys_fsconfig+0x395/0x410 |
| kernel: do_syscall_64+0x80/0x160 |
| kernel: ? syscall_exit_to_user_mode+0x82/0x240 |
| kernel: ? do_syscall_64+0x8d/0x160 |
| kernel: ? syscall_exit_to_user_mode+0x82/0x240 |
| kernel: ? do_syscall_64+0x8d/0x160 |
| kernel: ? exc_page_fault+0x69/0x150 |
| kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 |
| kernel: RIP: 0033:0x7ffbc0cb87c9 |
| kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 |
| kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af |
| kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbc0cb87c9 |
| kernel: RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003 |
| kernel: RBP: 00007ffc29d2f3b0 R08: 0000000000000000 R09: 0000000000000000 |
| kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 |
| kernel: R13: 00007ffc29d2f4c0 R14: 0000000000000000 R15: 0000000000000000 |
| kernel: </TASK> |
| kernel: Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) sunrpc(E) netfs(E) af_packet(E) bridge(E) stp(E) llc(E) iscsi_ibft(E) iscsi_boot_sysfs(E) intel_rapl_msr(E) intel_rapl_common(E) iTCO_wdt(E) intel_pmc_bxt(E) sb_edac(E) iTCO_vendor_support(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) rfkill(E) ipmi_ssif(E) kvm(E) acpi_ipmi(E) irqbypass(E) pcspkr(E) igb(E) ipmi_si(E) mei_me(E) i2c_i801(E) joydev(E) intel_pch_thermal(E) i2c_smbus(E) dca(E) lpc_ich(E) mei(E) ipmi_devintf(E) ipmi_msghandler(E) acpi_pad(E) tiny_power_button(E) button(E) fuse(E) efi_pstore(E) configfs(E) ip_tables(E) x_tables(E) ext4(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) sd_mod(E) t10_pi(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) polyval_clmulni(E) ahci(E) xhci_pci(E) polyval_generic(E) gf128mul(E) ghash_clmulni_intel(E) sha512_ssse3(E) sha256_ssse3(E) xhci_pci_renesas(E) libahci(E) ehci_pci(E) sha1_ssse3(E) xhci_hcd(E) ehci_hcd(E) libata(E) |
| kernel: mgag200(E) i2c_algo_bit(E) usbcore(E) wmi(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) scsi_common(E) aesni_intel(E) crypto_simd(E) cryptd(E) |
| kernel: Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):1 |
| kernel: CR2: 0000000000000028 |
| kernel: ---[ end trace 0000000000000000 ]--- |
| kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 |
| kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 |
| kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 |
| kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 |
| kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 |
| kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 |
| kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 |
| kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 |
| kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 |
| kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 |
| |
| The Linux kernel CVE team has assigned CVE-2024-26688 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 5.4.271 with commit 1dde8ef4b7a749ae1bc73617c91775631d167557 |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 5.10.212 with commit 80d852299987a8037be145a94f41874228f1a773 |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 5.15.151 with commit 22850c9950a4e43a67299755d11498f3292d02ff |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 6.1.79 with commit 2e2c07104b4904aed1389a59b25799b95a85b5b9 |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 6.6.18 with commit 13c5a9fb07105557a1fa9efdb4f23d7ef30b7274 |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 6.7.6 with commit ec78418801ef7b0c22cd6a30145ec480dd48db39 |
| Issue introduced in 5.1 with commit 32021982a324dce93b4ae00c06213bf45fb319c8 and fixed in 6.8 with commit 79d72c68c58784a3e1cd2378669d51bfd0cb7498 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26688 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/hugetlbfs/inode.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557 |
| https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773 |
| https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff |
| https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9 |
| https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274 |
| https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39 |
| https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498 |
