cve/published/2024/CVE-2024-36979.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36979: net: bridge: mst: fix vlan use-after-free

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: bridge: mst: fix vlan use-after-free

 syzbot reported a suspicious rcu usage[1] in bridge's mst code. While
 fixing it I noticed that nothing prevents a vlan to be freed while
 walking the list from the same path (br forward delay timer). Fix the rcu
 usage and also make sure we are not accessing freed memory by making
 br_mst_vlan_set_state use rcu read lock.

 [1]
  WARNING: suspicious RCU usage
  6.9.0-rc6-syzkaller #0 Not tainted
  -----------------------------
  net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!
  ...
  stack backtrace:
  CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
   lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
   nbp_vlan_group net/bridge/br_private.h:1599 [inline]
   br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105
   br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
   br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
   call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
   expire_timers kernel/time/timer.c:1844 [inline]
   __run_timers kernel/time/timer.c:2418 [inline]
   __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
   run_timer_base kernel/time/timer.c:2438 [inline]
   run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
   __do_softirq+0x2c6/0x980 kernel/softirq.c:554
   invoke_softirq kernel/softirq.c:428 [inline]
   __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
   irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
   instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
   sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
   </IRQ>
   <TASK>
  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
  RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758
  Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
  RSP: 0018:ffffc90013657100 EFLAGS: 00000206
  RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001
  RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60
  RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0
  R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28
  R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246

 The Linux kernel CVE team has assigned CVE-2024-36979 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.1.93 with commit 8ca9a750fc711911ef616ceb627d07357b04545e
 	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.6.33 with commit 4488617e5e995a09abe4d81add5fb165674edb59
 	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.8.12 with commit a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
 	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.9.3 with commit e43dd2b1ec746e105b7db5f9ad6ef14685a615a4
 	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.10 with commit 3a7c1661ae1383364cd6092d851f5e5da64d476b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36979
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bridge/br_mst.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e
 	https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59
 	https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
 	https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4
 	https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36979: net: bridge: mst: fix vlan use-after-free

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: bridge: mst: fix vlan use-after-free

	syzbot reported a suspicious rcu usage[1] in bridge's mst code. While
	fixing it I noticed that nothing prevents a vlan to be freed while
	walking the list from the same path (br forward delay timer). Fix the rcu
	usage and also make sure we are not accessing freed memory by making
	br_mst_vlan_set_state use rcu read lock.

	[1]
	WARNING: suspicious RCU usage
	6.9.0-rc6-syzkaller #0 Not tainted
	-----------------------------
	net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!
	...
	stack backtrace:
	CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
	Call Trace:
	<IRQ>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
	lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
	nbp_vlan_group net/bridge/br_private.h:1599 [inline]
	br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105
	br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
	br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
	call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
	expire_timers kernel/time/timer.c:1844 [inline]
	__run_timers kernel/time/timer.c:2418 [inline]
	__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
	run_timer_base kernel/time/timer.c:2438 [inline]
	run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
	__do_softirq+0x2c6/0x980 kernel/softirq.c:554
	invoke_softirq kernel/softirq.c:428 [inline]
	__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
	irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
	instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
	sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
	</IRQ>
	<TASK>
	asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
	RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758
	Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
	RSP: 0018:ffffc90013657100 EFLAGS: 00000206
	RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001
	RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60
	RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0
	R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28
	R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246

	The Linux kernel CVE team has assigned CVE-2024-36979 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.1.93 with commit 8ca9a750fc711911ef616ceb627d07357b04545e
	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.6.33 with commit 4488617e5e995a09abe4d81add5fb165674edb59
	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.8.12 with commit a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.9.3 with commit e43dd2b1ec746e105b7db5f9ad6ef14685a615a4
	Issue introduced in 5.18 with commit ec7328b59176227216c461601c6bd0e922232a9b and fixed in 6.10 with commit 3a7c1661ae1383364cd6092d851f5e5da64d476b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36979
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bridge/br_mst.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e
	https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59
	https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac
	https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4
	https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b