cve/published/2024/CVE-2024-26689.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26689: ceph: prevent use-after-free in encode_cap_msg()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ceph: prevent use-after-free in encode_cap_msg()

 In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
 caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
 implies before the refcount could be increment here, it was freed.

 In same file, in "handle_cap_grant()" refcount is decremented by this
 line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
 occurred and resource was freed by the latter line before the former
 line could increment it.

 encode_cap_msg() is called by __send_cap() and __send_cap() is called by
 ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
 arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
 the refcount must be increased to prevent "use after free" error.

 The Linux kernel CVE team has assigned CVE-2024-26689 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 5.10.210 with commit 8180d0c27b93a6eb60da1b08ea079e3926328214
 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 5.15.149 with commit 70e329b440762390258a6fe8c0de93c9fdd56c77
 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.1.79 with commit f3f98d7d84b31828004545e29fd7262b9f444139
 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.6.18 with commit ae20db45e482303a20e56f2db667a9d9c54ac7e7
 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.7.6 with commit 7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc
 	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.8 with commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26689
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ceph/caps.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214
 	https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77
 	https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139
 	https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7
 	https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc
 	https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26689: ceph: prevent use-after-free in encode_cap_msg()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ceph: prevent use-after-free in encode_cap_msg()

	In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
	caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
	implies before the refcount could be increment here, it was freed.

	In same file, in "handle_cap_grant()" refcount is decremented by this
	line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
	occurred and resource was freed by the latter line before the former
	line could increment it.

	encode_cap_msg() is called by __send_cap() and __send_cap() is called by
	ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
	arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
	the refcount must be increased to prevent "use after free" error.

	The Linux kernel CVE team has assigned CVE-2024-26689 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 5.10.210 with commit 8180d0c27b93a6eb60da1b08ea079e3926328214
	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 5.15.149 with commit 70e329b440762390258a6fe8c0de93c9fdd56c77
	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.1.79 with commit f3f98d7d84b31828004545e29fd7262b9f444139
	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.6.18 with commit ae20db45e482303a20e56f2db667a9d9c54ac7e7
	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.7.6 with commit 7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc
	Issue introduced in 2.6.34 with commit 9030aaf9bf0a1eee47a154c316c789e959638b0f and fixed in 6.8 with commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26689
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ceph/caps.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214
	https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77
	https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139
	https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7
	https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc
	https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef