cve/published/2024/CVE-2024-35902.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35902: net/rds: fix possible cp null dereference

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/rds: fix possible cp null dereference

 cp might be null, calling cp->cp_conn would produce null dereference

 [Simon Horman adds:]

 Analysis:

 * cp is a parameter of __rds_rdma_map and is not reassigned.

 * The following call-sites pass a NULL cp argument to __rds_rdma_map()

   - rds_get_mr()
   - rds_get_mr_for_dest

 * Prior to the code above, the following assumes that cp may be NULL
   (which is indicative, but could itself be unnecessary)

 	trans_private = rs->rs_transport->get_mr(
 		sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
 		args->vec.addr, args->vec.bytes,
 		need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);

 * The code modified by this patch is guarded by IS_ERR(trans_private),
   where trans_private is assigned as per the previous point in this analysis.

   The only implementation of get_mr that I could locate is rds_ib_get_mr()
   which can return an ERR_PTR if the conn (4th) argument is NULL.

 * ret is set to PTR_ERR(trans_private).
   rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
   Thus ret may be -ENODEV in which case the code in question will execute.

 Conclusion:
 * cp may be NULL at the point where this patch adds a check;
   this patch does seem to address a possible bug

 The Linux kernel CVE team has assigned CVE-2024-35902 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.310 with commit 786854141057751bc08eb26f1b02e97c1631c8f4 and fixed in 4.19.312 with commit d275de8ea7be3a453629fddae41d4156762e814c
 	Issue introduced in 5.4.272 with commit 997efea2bf3a4adb96c306b9ad6a91442237bf5b and fixed in 5.4.274 with commit bcd46782e2ec3825d10c1552fcb674d491cc09f9
 	Issue introduced in 5.10.213 with commit 9dfc15a10dfd44f8ff7f27488651cb5be6af83c2 and fixed in 5.10.215 with commit cfb786b03b03c5ff38882bee38525eb9987e4d14
 	Issue introduced in 5.15.152 with commit b562ebe21ed9adcf42242797dd6cb75beef12bf0 and fixed in 5.15.154 with commit d49fac38479bfdaec52b3ea274d290c47a294029
 	Issue introduced in 6.1.82 with commit 998fd719e6d6468b930ac0c44552ea9ff8b07b80 and fixed in 6.1.85 with commit cbaac2e5488ed54833897264a5ffb2a341a9f196
 	Issue introduced in 6.6.22 with commit 2b505d05280739ce31d5708da840f42df827cb85 and fixed in 6.6.26 with commit 92309bed3c5fbe2ccd4c45056efd42edbd06162d
 	Issue introduced in 6.8 with commit c055fc00c07be1f0df7375ab0036cebd1106ed38 and fixed in 6.8.5 with commit 6794090c742008c53b344b35b021d4a3093dc50a
 	Issue introduced in 6.8 with commit c055fc00c07be1f0df7375ab0036cebd1106ed38 and fixed in 6.9 with commit 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b
 	Issue introduced in 6.7.10 with commit 907761307469adecb02461a14120e9a1812a5fb1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35902
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/rds/rdma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c
 	https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9
 	https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14
 	https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029
 	https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196
 	https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d
 	https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a
 	https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35902: net/rds: fix possible cp null dereference

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/rds: fix possible cp null dereference

	cp might be null, calling cp->cp_conn would produce null dereference

	[Simon Horman adds:]

	Analysis:

	* cp is a parameter of __rds_rdma_map and is not reassigned.

	* The following call-sites pass a NULL cp argument to __rds_rdma_map()

	- rds_get_mr()
	- rds_get_mr_for_dest

	* Prior to the code above, the following assumes that cp may be NULL
	(which is indicative, but could itself be unnecessary)

	trans_private = rs->rs_transport->get_mr(
	sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
	args->vec.addr, args->vec.bytes,
	need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);

	* The code modified by this patch is guarded by IS_ERR(trans_private),
	where trans_private is assigned as per the previous point in this analysis.

	The only implementation of get_mr that I could locate is rds_ib_get_mr()
	which can return an ERR_PTR if the conn (4th) argument is NULL.

	* ret is set to PTR_ERR(trans_private).
	rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
	Thus ret may be -ENODEV in which case the code in question will execute.

	Conclusion:
	* cp may be NULL at the point where this patch adds a check;
	this patch does seem to address a possible bug

	The Linux kernel CVE team has assigned CVE-2024-35902 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.310 with commit 786854141057751bc08eb26f1b02e97c1631c8f4 and fixed in 4.19.312 with commit d275de8ea7be3a453629fddae41d4156762e814c
	Issue introduced in 5.4.272 with commit 997efea2bf3a4adb96c306b9ad6a91442237bf5b and fixed in 5.4.274 with commit bcd46782e2ec3825d10c1552fcb674d491cc09f9
	Issue introduced in 5.10.213 with commit 9dfc15a10dfd44f8ff7f27488651cb5be6af83c2 and fixed in 5.10.215 with commit cfb786b03b03c5ff38882bee38525eb9987e4d14
	Issue introduced in 5.15.152 with commit b562ebe21ed9adcf42242797dd6cb75beef12bf0 and fixed in 5.15.154 with commit d49fac38479bfdaec52b3ea274d290c47a294029
	Issue introduced in 6.1.82 with commit 998fd719e6d6468b930ac0c44552ea9ff8b07b80 and fixed in 6.1.85 with commit cbaac2e5488ed54833897264a5ffb2a341a9f196
	Issue introduced in 6.6.22 with commit 2b505d05280739ce31d5708da840f42df827cb85 and fixed in 6.6.26 with commit 92309bed3c5fbe2ccd4c45056efd42edbd06162d
	Issue introduced in 6.8 with commit c055fc00c07be1f0df7375ab0036cebd1106ed38 and fixed in 6.8.5 with commit 6794090c742008c53b344b35b021d4a3093dc50a
	Issue introduced in 6.8 with commit c055fc00c07be1f0df7375ab0036cebd1106ed38 and fixed in 6.9 with commit 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b
	Issue introduced in 6.7.10 with commit 907761307469adecb02461a14120e9a1812a5fb1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35902
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/rds/rdma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c
	https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9
	https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14
	https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029
	https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196
	https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d
	https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a
	https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b