cve/published/2024/CVE-2024-26924.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26924: netfilter: nft_set_pipapo: do not free live element

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nft_set_pipapo: do not free live element

 Pablo reports a crash with large batches of elements with a
 back-to-back add/remove pattern.  Quoting Pablo:

   add_elem("00000000") timeout 100 ms
   ...
   add_elem("0000000X") timeout 100 ms
   del_elem("0000000X") <---------------- delete one that was just added
   ...
   add_elem("00005000") timeout 100 ms

   1) nft_pipapo_remove() removes element 0000000X
   Then, KASAN shows a splat.

 Looking at the remove function there is a chance that we will drop a
 rule that maps to a non-deactivated element.

 Removal happens in two steps, first we do a lookup for key k and return the
 to-be-removed element and mark it as inactive in the next generation.
 Then, in a second step, the element gets removed from the set/map.

 The _remove function does not work correctly if we have more than one
 element that share the same key.

 This can happen if we insert an element into a set when the set already
 holds an element with same key, but the element mapping to the existing
 key has timed out or is not active in the next generation.

 In such case its possible that removal will unmap the wrong element.
 If this happens, we will leak the non-deactivated element, it becomes
 unreachable.

 The element that got deactivated (and will be freed later) will
 remain reachable in the set data structure, this can result in
 a crash when such an element is retrieved during lookup (stale
 pointer).

 Add a check that the fully matching key does in fact map to the element
 that we have marked as inactive in the deactivation step.
 If not, we need to continue searching.

 Add a bug/warn trap at the end of the function as well, the remove
 function must not ever be called with an invisible/unreachable/non-existent
 element.

 v2: avoid uneeded temporary variable (Stefano)

 The Linux kernel CVE team has assigned CVE-2024-26924 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.10.216 with commit e3b887a9c11caf8357a821260e095f2a694a34f2
 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.15.157 with commit 7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46
 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.1.88 with commit 41d8fdf3afaff312e17466e4ab732937738d5644
 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.6.29 with commit ebf7c9746f073035ee26209e38c3a1170f7b349a
 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.8.8 with commit 14b001ba221136c15f894577253e8db535b99487
 	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.9 with commit 3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26924
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nft_set_pipapo.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2
 	https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46
 	https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644
 	https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a
 	https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487
 	https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26924: netfilter: nft_set_pipapo: do not free live element

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nft_set_pipapo: do not free live element

	Pablo reports a crash with large batches of elements with a
	back-to-back add/remove pattern. Quoting Pablo:

	add_elem("00000000") timeout 100 ms
	...
	add_elem("0000000X") timeout 100 ms
	del_elem("0000000X") <---------------- delete one that was just added
	...
	add_elem("00005000") timeout 100 ms

	1) nft_pipapo_remove() removes element 0000000X
	Then, KASAN shows a splat.

	Looking at the remove function there is a chance that we will drop a
	rule that maps to a non-deactivated element.

	Removal happens in two steps, first we do a lookup for key k and return the
	to-be-removed element and mark it as inactive in the next generation.
	Then, in a second step, the element gets removed from the set/map.

	The _remove function does not work correctly if we have more than one
	element that share the same key.

	This can happen if we insert an element into a set when the set already
	holds an element with same key, but the element mapping to the existing
	key has timed out or is not active in the next generation.

	In such case its possible that removal will unmap the wrong element.
	If this happens, we will leak the non-deactivated element, it becomes
	unreachable.

	The element that got deactivated (and will be freed later) will
	remain reachable in the set data structure, this can result in
	a crash when such an element is retrieved during lookup (stale
	pointer).

	Add a check that the fully matching key does in fact map to the element
	that we have marked as inactive in the deactivation step.
	If not, we need to continue searching.

	Add a bug/warn trap at the end of the function as well, the remove
	function must not ever be called with an invisible/unreachable/non-existent
	element.

	v2: avoid uneeded temporary variable (Stefano)

	The Linux kernel CVE team has assigned CVE-2024-26924 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.10.216 with commit e3b887a9c11caf8357a821260e095f2a694a34f2
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 5.15.157 with commit 7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.1.88 with commit 41d8fdf3afaff312e17466e4ab732937738d5644
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.6.29 with commit ebf7c9746f073035ee26209e38c3a1170f7b349a
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.8.8 with commit 14b001ba221136c15f894577253e8db535b99487
	Issue introduced in 5.6 with commit 3c4287f62044a90e73a561aa05fc46e62da173da and fixed in 6.9 with commit 3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26924
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nft_set_pipapo.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2
	https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46
	https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644
	https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a
	https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487
	https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc