cve/published/2024/CVE-2024-26718.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26718: dm-crypt, dm-verity: disable tasklets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm-crypt, dm-verity: disable tasklets

 Tasklets have an inherent problem with memory corruption. The function
 tasklet_action_common calls tasklet_trylock, then it calls the tasklet
 callback and then it calls tasklet_unlock. If the tasklet callback frees
 the structure that contains the tasklet or if it calls some code that may
 free it, tasklet_unlock will write into free memory.

 The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but
 it is not a sufficient fix and the data corruption can still happen [1].
 There is no fix for dm-verity and dm-verity will write into free memory
 with every tasklet-processed bio.

 There will be atomic workqueues implemented in the kernel 6.9 [2]. They
 will have better interface and they will not suffer from the memory
 corruption problem.

 But we need something that stops the memory corruption now and that can be
 backported to the stable kernels. So, I'm proposing this commit that
 disables tasklets in both dm-crypt and dm-verity. This commit doesn't
 remove the tasklet support, because the tasklet code will be reused when
 atomic workqueues will be implemented.

 [1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/
 [2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/

 The Linux kernel CVE team has assigned CVE-2024-26718 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 5.15.169 with commit b825e0f9d68c178072bffd32dd34c39e3d2d597a
 	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.1.79 with commit 30884a44e0cedc3dfda8c22432f3ba4078ec2d94
 	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.6.18 with commit 5735a2671ffb70ea29ca83969fe01316ee2ed6fc
 	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.7.6 with commit 0c45a20cbe68bc4d681734f5c03891124a274257
 	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.8 with commit 0a9bab391e336489169b95cb0d4553d921302189

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26718
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-crypt.c
 	drivers/md/dm-verity-target.c
 	drivers/md/dm-verity.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b825e0f9d68c178072bffd32dd34c39e3d2d597a
 	https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94
 	https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc
 	https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257
 	https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26718: dm-crypt, dm-verity: disable tasklets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm-crypt, dm-verity: disable tasklets

	Tasklets have an inherent problem with memory corruption. The function
	tasklet_action_common calls tasklet_trylock, then it calls the tasklet
	callback and then it calls tasklet_unlock. If the tasklet callback frees
	the structure that contains the tasklet or if it calls some code that may
	free it, tasklet_unlock will write into free memory.

	The commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but
	it is not a sufficient fix and the data corruption can still happen [1].
	There is no fix for dm-verity and dm-verity will write into free memory
	with every tasklet-processed bio.

	There will be atomic workqueues implemented in the kernel 6.9 [2]. They
	will have better interface and they will not suffer from the memory
	corruption problem.

	But we need something that stops the memory corruption now and that can be
	backported to the stable kernels. So, I'm proposing this commit that
	disables tasklets in both dm-crypt and dm-verity. This commit doesn't
	remove the tasklet support, because the tasklet code will be reused when
	atomic workqueues will be implemented.

	[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/
	[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/

	The Linux kernel CVE team has assigned CVE-2024-26718 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 5.15.169 with commit b825e0f9d68c178072bffd32dd34c39e3d2d597a
	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.1.79 with commit 30884a44e0cedc3dfda8c22432f3ba4078ec2d94
	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.6.18 with commit 5735a2671ffb70ea29ca83969fe01316ee2ed6fc
	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.7.6 with commit 0c45a20cbe68bc4d681734f5c03891124a274257
	Issue introduced in 5.9 with commit 39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877 and fixed in 6.8 with commit 0a9bab391e336489169b95cb0d4553d921302189

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26718
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-crypt.c
	drivers/md/dm-verity-target.c
	drivers/md/dm-verity.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b825e0f9d68c178072bffd32dd34c39e3d2d597a
	https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94
	https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc
	https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257
	https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189