cve/published/2024/CVE-2024-39463.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-39463: 9p: add missing locking around taking dentry fid list

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 9p: add missing locking around taking dentry fid list

 Fix a use-after-free on dentry's d_fsdata fid list when a thread
 looks up a fid through dentry while another thread unlinks it:

 UAF thread:
 refcount_t: addition on 0; use-after-free.
  p9_fid_get linux/./include/net/9p/client.h:262
  v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129
  v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181
  v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314
  v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400
  vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248

 Freed by:
  p9_fid_destroy (inlined)
  p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456
  p9_fid_put linux/./include/net/9p/client.h:278
  v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55
  v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518
  vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335

 The problem is that d_fsdata was not accessed under d_lock, because
 d_release() normally is only called once the dentry is otherwise no
 longer accessible but since we also call it explicitly in v9fs_remove
 that lock is required:
 move the hlist out of the dentry under lock then unref its fids once
 they are no longer accessible.

 The Linux kernel CVE team has assigned CVE-2024-39463 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 5.15.168 with commit 3bb6763a8319170c2d41c4232c8e7e4c37dcacfb
 	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.1.94 with commit cb299cdba09f46f090b843d78ba26b667d50a456
 	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.6.34 with commit f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5
 	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.9.5 with commit fe17ebf22feb4ad7094d597526d558a49aac92b4
 	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.10 with commit c898afdc15645efb555acb6d85b484eb40a45409

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-39463
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/9p/vfs_dentry.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3bb6763a8319170c2d41c4232c8e7e4c37dcacfb
 	https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456
 	https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5
 	https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4
 	https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409
 	https://www.zerodayinitiative.com/advisories/ZDI-24-1194/
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-39463: 9p: add missing locking around taking dentry fid list

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	9p: add missing locking around taking dentry fid list

	Fix a use-after-free on dentry's d_fsdata fid list when a thread
	looks up a fid through dentry while another thread unlinks it:

	UAF thread:
	refcount_t: addition on 0; use-after-free.
	p9_fid_get linux/./include/net/9p/client.h:262
	v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129
	v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181
	v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314
	v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400
	vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248

	Freed by:
	p9_fid_destroy (inlined)
	p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456
	p9_fid_put linux/./include/net/9p/client.h:278
	v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55
	v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518
	vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335

	The problem is that d_fsdata was not accessed under d_lock, because
	d_release() normally is only called once the dentry is otherwise no
	longer accessible but since we also call it explicitly in v9fs_remove
	that lock is required:
	move the hlist out of the dentry under lock then unref its fids once
	they are no longer accessible.

	The Linux kernel CVE team has assigned CVE-2024-39463 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 5.15.168 with commit 3bb6763a8319170c2d41c4232c8e7e4c37dcacfb
	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.1.94 with commit cb299cdba09f46f090b843d78ba26b667d50a456
	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.6.34 with commit f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5
	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.9.5 with commit fe17ebf22feb4ad7094d597526d558a49aac92b4
	Issue introduced in 5.11 with commit 154372e67d4053e56591245eb413686621941333 and fixed in 6.10 with commit c898afdc15645efb555acb6d85b484eb40a45409

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39463
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/9p/vfs_dentry.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3bb6763a8319170c2d41c4232c8e7e4c37dcacfb
	https://git.kernel.org/stable/c/cb299cdba09f46f090b843d78ba26b667d50a456
	https://git.kernel.org/stable/c/f0c5c944c6d8614c19e6e9a97fd2011dcd30e8f5
	https://git.kernel.org/stable/c/fe17ebf22feb4ad7094d597526d558a49aac92b4
	https://git.kernel.org/stable/c/c898afdc15645efb555acb6d85b484eb40a45409
	https://www.zerodayinitiative.com/advisories/ZDI-24-1194/