cve/published/2024/CVE-2024-36939.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36939: nfs: Handle error of rpc_proc_register() in nfs_net_init().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfs: Handle error of rpc_proc_register() in nfs_net_init().

 syzkaller reported a warning [0] triggered while destroying immature
 netns.

 rpc_proc_register() was called in init_nfs_fs(), but its error
 has been ignored since at least the initial commit 1da177e4c3f4
 ("Linux-2.6.12-rc2").

 Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs
 in net namespaces") converted the procfs to per-netns and made
 the problem more visible.

 Even when rpc_proc_register() fails, nfs_net_init() could succeed,
 and thus nfs_net_exit() will be called while destroying the netns.

 Then, remove_proc_entry() will be called for non-existing proc
 directory and trigger the warning below.

 Let's handle the error of rpc_proc_register() properly in nfs_net_init().

 [0]:
 name 'nfs'
 WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711
 Modules linked in:
 CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
 RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711
 Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb
 RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286
 RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c
 RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001
 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
 R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc
 R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8
 FS:  00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310
  nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438
  ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170
  setup_net+0x46c/0x660 net/core/net_namespace.c:372
  copy_net_ns+0x244/0x590 net/core/net_namespace.c:505
  create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110
  unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228
  ksys_unshare+0x342/0x760 kernel/fork.c:3322
  __do_sys_unshare kernel/fork.c:3393 [inline]
  __se_sys_unshare kernel/fork.c:3391 [inline]
  __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x46/0x4e
 RIP: 0033:0x7f30d0febe5d
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
 RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
 RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600
 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
 R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-36939 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.276 with commit b33ca18c3a1190208dfd569c4fa8a2f93084709f
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.217 with commit d4891d817350c67392d4731536945f3809a2a0ba
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.159 with commit ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.91 with commit 8ae63bd858691bee0e2a92571f2fbb36a4d86d65
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.31 with commit 8a1f89c98dcc542dd6d287e573523714702e0f9c
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.10 with commit 9909dde2e53a19585212c32fe3eda482b5faaaa3
 	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9 with commit 24457f1be29f1e7042e50a7749f5c2dde8c433c8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36939
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f
 	https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba
 	https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021
 	https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65
 	https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c
 	https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3
 	https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36939: nfs: Handle error of rpc_proc_register() in nfs_net_init().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfs: Handle error of rpc_proc_register() in nfs_net_init().

	syzkaller reported a warning [0] triggered while destroying immature
	netns.

	rpc_proc_register() was called in init_nfs_fs(), but its error
	has been ignored since at least the initial commit 1da177e4c3f4
	("Linux-2.6.12-rc2").

	Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs
	in net namespaces") converted the procfs to per-netns and made
	the problem more visible.

	Even when rpc_proc_register() fails, nfs_net_init() could succeed,
	and thus nfs_net_exit() will be called while destroying the netns.

	Then, remove_proc_entry() will be called for non-existing proc
	directory and trigger the warning below.

	Let's handle the error of rpc_proc_register() properly in nfs_net_init().

	[0]:
	name 'nfs'
	WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711
	Modules linked in:
	CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
	RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711
	Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff <0f> 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb
	RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286
	RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c
	RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001
	RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
	R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc
	R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8
	FS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<TASK>
	rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310
	nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438
	ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170
	setup_net+0x46c/0x660 net/core/net_namespace.c:372
	copy_net_ns+0x244/0x590 net/core/net_namespace.c:505
	create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110
	unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228
	ksys_unshare+0x342/0x760 kernel/fork.c:3322
	__do_sys_unshare kernel/fork.c:3393 [inline]
	__se_sys_unshare kernel/fork.c:3391 [inline]
	__x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x46/0x4e
	RIP: 0033:0x7f30d0febe5d
	Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
	RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
	RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600
	RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
	R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-36939 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.276 with commit b33ca18c3a1190208dfd569c4fa8a2f93084709f
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.217 with commit d4891d817350c67392d4731536945f3809a2a0ba
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.159 with commit ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.91 with commit 8ae63bd858691bee0e2a92571f2fbb36a4d86d65
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.31 with commit 8a1f89c98dcc542dd6d287e573523714702e0f9c
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.10 with commit 9909dde2e53a19585212c32fe3eda482b5faaaa3
	Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9 with commit 24457f1be29f1e7042e50a7749f5c2dde8c433c8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36939
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b33ca18c3a1190208dfd569c4fa8a2f93084709f
	https://git.kernel.org/stable/c/d4891d817350c67392d4731536945f3809a2a0ba
	https://git.kernel.org/stable/c/ea6ce93327bd2c8a0c6cf6f2f0e800f3b778f021
	https://git.kernel.org/stable/c/8ae63bd858691bee0e2a92571f2fbb36a4d86d65
	https://git.kernel.org/stable/c/8a1f89c98dcc542dd6d287e573523714702e0f9c
	https://git.kernel.org/stable/c/9909dde2e53a19585212c32fe3eda482b5faaaa3
	https://git.kernel.org/stable/c/24457f1be29f1e7042e50a7749f5c2dde8c433c8