cve/published/2024/CVE-2024-35979.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35979: raid1: fix use-after-free for original bio in raid1_write_request()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 raid1: fix use-after-free for original bio in raid1_write_request()

 r1_bio->bios[] is used to record new bios that will be issued to
 underlying disks, however, in raid1_write_request(), r1_bio->bios[]
 will set to the original bio temporarily. Meanwhile, if blocked rdev
 is set, free_r1bio() will be called causing that all r1_bio->bios[]
 to be freed:

 raid1_write_request()
  r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL
  for (i = 0;  i < disks; i++) -> for each rdev in conf
   // first rdev is normal
   r1_bio->bios[0] = bio; -> set to original bio
   // second rdev is blocked
   if (test_bit(Blocked, &rdev->flags))
    break

  if (blocked_rdev)
   free_r1bio()
    put_all_bios()
     bio_put(r1_bio->bios[0]) -> original bio is freed

 Test scripts:

 mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean
 fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \
     -iodepth=128 -name=test -direct=1
 echo blocked > /sys/block/md0/md/rd2/state

 Test result:

 BUG bio-264 (Not tainted): Object already free
 -----------------------------------------------------------------------------

 Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869
  kmem_cache_alloc+0x324/0x480
  mempool_alloc_slab+0x24/0x50
  mempool_alloc+0x6e/0x220
  bio_alloc_bioset+0x1af/0x4d0
  blkdev_direct_IO+0x164/0x8a0
  blkdev_write_iter+0x309/0x440
  aio_write+0x139/0x2f0
  io_submit_one+0x5ca/0xb70
  __do_sys_io_submit+0x86/0x270
  __x64_sys_io_submit+0x22/0x30
  do_syscall_64+0xb1/0x210
  entry_SYSCALL_64_after_hwframe+0x6c/0x74
 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869
  kmem_cache_free+0x28c/0x550
  mempool_free_slab+0x1f/0x30
  mempool_free+0x40/0x100
  bio_free+0x59/0x80
  bio_put+0xf0/0x220
  free_r1bio+0x74/0xb0
  raid1_make_request+0xadf/0x1150
  md_handle_request+0xc7/0x3b0
  md_submit_bio+0x76/0x130
  __submit_bio+0xd8/0x1d0
  submit_bio_noacct_nocheck+0x1eb/0x5c0
  submit_bio_noacct+0x169/0xd40
  submit_bio+0xee/0x1d0
  blkdev_direct_IO+0x322/0x8a0
  blkdev_write_iter+0x309/0x440
  aio_write+0x139/0x2f0

 Since that bios for underlying disks are not allocated yet, fix this
 problem by using mempool_free() directly to free the r1_bio.

 The Linux kernel CVE team has assigned CVE-2024-35979 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.6.28 with commit 3f28d49a328fe20926995d5fbdc92da665596268
 	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.8.7 with commit f423f41b7679c09abb26d2bd54be5cbef23c9446
 	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.9 with commit fcf3f7e2fc8a53a6140beee46ec782a4c88e4744

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35979
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/raid1.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268
 	https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446
 	https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35979: raid1: fix use-after-free for original bio in raid1_write_request()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	raid1: fix use-after-free for original bio in raid1_write_request()

	r1_bio->bios[] is used to record new bios that will be issued to
	underlying disks, however, in raid1_write_request(), r1_bio->bios[]
	will set to the original bio temporarily. Meanwhile, if blocked rdev
	is set, free_r1bio() will be called causing that all r1_bio->bios[]
	to be freed:

	raid1_write_request()
	r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL
	for (i = 0; i < disks; i++) -> for each rdev in conf
	// first rdev is normal
	r1_bio->bios[0] = bio; -> set to original bio
	// second rdev is blocked
	if (test_bit(Blocked, &rdev->flags))
	break

	if (blocked_rdev)
	free_r1bio()
	put_all_bios()
	bio_put(r1_bio->bios[0]) -> original bio is freed

	Test scripts:

	mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean
	fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \
	-iodepth=128 -name=test -direct=1
	echo blocked > /sys/block/md0/md/rd2/state

	Test result:

	BUG bio-264 (Not tainted): Object already free
	-----------------------------------------------------------------------------

	Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869
	kmem_cache_alloc+0x324/0x480
	mempool_alloc_slab+0x24/0x50
	mempool_alloc+0x6e/0x220
	bio_alloc_bioset+0x1af/0x4d0
	blkdev_direct_IO+0x164/0x8a0
	blkdev_write_iter+0x309/0x440
	aio_write+0x139/0x2f0
	io_submit_one+0x5ca/0xb70
	__do_sys_io_submit+0x86/0x270
	__x64_sys_io_submit+0x22/0x30
	do_syscall_64+0xb1/0x210
	entry_SYSCALL_64_after_hwframe+0x6c/0x74
	Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869
	kmem_cache_free+0x28c/0x550
	mempool_free_slab+0x1f/0x30
	mempool_free+0x40/0x100
	bio_free+0x59/0x80
	bio_put+0xf0/0x220
	free_r1bio+0x74/0xb0
	raid1_make_request+0xadf/0x1150
	md_handle_request+0xc7/0x3b0
	md_submit_bio+0x76/0x130
	__submit_bio+0xd8/0x1d0
	submit_bio_noacct_nocheck+0x1eb/0x5c0
	submit_bio_noacct+0x169/0xd40
	submit_bio+0xee/0x1d0
	blkdev_direct_IO+0x322/0x8a0
	blkdev_write_iter+0x309/0x440
	aio_write+0x139/0x2f0

	Since that bios for underlying disks are not allocated yet, fix this
	problem by using mempool_free() directly to free the r1_bio.

	The Linux kernel CVE team has assigned CVE-2024-35979 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.6.28 with commit 3f28d49a328fe20926995d5fbdc92da665596268
	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.8.7 with commit f423f41b7679c09abb26d2bd54be5cbef23c9446
	Issue introduced in 6.6 with commit 992db13a4aee766c8bfbf046ad15c2db5fa7cab8 and fixed in 6.9 with commit fcf3f7e2fc8a53a6140beee46ec782a4c88e4744

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35979
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/raid1.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268
	https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446
	https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744