cve/published/2024/CVE-2024-36892.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36892: mm/slub: avoid zeroing outside-object freepointer for single free

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/slub: avoid zeroing outside-object freepointer for single free

 Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing
 separately") splits single and bulk object freeing in two functions
 slab_free() and slab_free_bulk() which leads slab_free() to call
 slab_free_hook() directly instead of slab_free_freelist_hook().

 If `init_on_free` is set, slab_free_hook() zeroes the object.
 Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are
 set, the do_slab_free() slowpath executes freelist consistency
 checks and try to decode a zeroed freepointer which leads to a
 "Freepointer corrupt" detection in check_object().

 During bulk free, slab_free_freelist_hook() isn't affected as it always
 sets it objects freepointer using set_freepointer() to maintain its
 reconstructed freelist after `init_on_free`.

 For single free, object's freepointer thus needs to be avoided when
 stored outside the object if `init_on_free` is set. The freepointer left
 as is, check_object() may later detect an invalid pointer value due to
 objects overflow.

 To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the
 command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.

 dmesg sample log:
 [   10.708715] =============================================================================
 [   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): Freepointer corrupt
 [   10.712695] -----------------------------------------------------------------------------
 [   10.712695]
 [   10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)
 [   10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c
 [   10.716698]
 [   10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [   10.720703] Object   ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [   10.720703] Object   ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [   10.724696] Padding  ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 [   10.724696] Padding  ffff9d9a8035667c: 00 00 00 00                                      ....
 [   10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

 The Linux kernel CVE team has assigned CVE-2024-36892 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 284f17ac13fe34ae9eecbe57bb91553374d9b855 and fixed in 6.8.10 with commit 56900355485f6e82114b18c812edd57fd7970dcb
 	Issue introduced in 6.8 with commit 284f17ac13fe34ae9eecbe57bb91553374d9b855 and fixed in 6.9 with commit 8f828aa48812ced28aa39cb3cfe55ef2444d03dd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36892
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/slub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb
 	https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36892: mm/slub: avoid zeroing outside-object freepointer for single free

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/slub: avoid zeroing outside-object freepointer for single free

	Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing
	separately") splits single and bulk object freeing in two functions
	slab_free() and slab_free_bulk() which leads slab_free() to call
	slab_free_hook() directly instead of slab_free_freelist_hook().

	If `init_on_free` is set, slab_free_hook() zeroes the object.
	Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are
	set, the do_slab_free() slowpath executes freelist consistency
	checks and try to decode a zeroed freepointer which leads to a
	"Freepointer corrupt" detection in check_object().

	During bulk free, slab_free_freelist_hook() isn't affected as it always
	sets it objects freepointer using set_freepointer() to maintain its
	reconstructed freelist after `init_on_free`.

	For single free, object's freepointer thus needs to be avoided when
	stored outside the object if `init_on_free` is set. The freepointer left
	as is, check_object() may later detect an invalid pointer value due to
	objects overflow.

	To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the
	command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.

	dmesg sample log:
	[ 10.708715] =============================================================================
	[ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt
	[ 10.712695] -----------------------------------------------------------------------------
	[ 10.712695]
	[ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset\|slab\|node=0\|zone=2)
	[ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c
	[ 10.716698]
	[ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 ....
	[ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

	The Linux kernel CVE team has assigned CVE-2024-36892 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 284f17ac13fe34ae9eecbe57bb91553374d9b855 and fixed in 6.8.10 with commit 56900355485f6e82114b18c812edd57fd7970dcb
	Issue introduced in 6.8 with commit 284f17ac13fe34ae9eecbe57bb91553374d9b855 and fixed in 6.9 with commit 8f828aa48812ced28aa39cb3cfe55ef2444d03dd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36892
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/slub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb
	https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd