cve/published/2024/CVE-2024-41012.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41012: filelock: Remove locks reliably when fcntl/close race is detected

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 filelock: Remove locks reliably when fcntl/close race is detected

 When fcntl_setlk() races with close(), it removes the created lock with
 do_lock_file_wait().
 However, LSMs can allow the first do_lock_file_wait() that created the lock
 while denying the second do_lock_file_wait() that tries to remove the lock.
 Separately, posix_lock_file() could also fail to
 remove a lock due to GFP_KERNEL allocation failure (when splitting a range
 in the middle).

 After the bug has been triggered, use-after-free reads will occur in
 lock_get_status() when userspace reads /proc/locks. This can likely be used
 to read arbitrary kernel memory, but can't corrupt kernel memory.

 Fix it by calling locks_remove_posix() instead, which is designed to
 reliably get rid of POSIX locks associated with the given file and
 files_struct and is also used by filp_flush().

 The Linux kernel CVE team has assigned CVE-2024-41012 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 4.19.319 with commit d30ff33040834c3b9eee29740acd92f9c7ba2250
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.4.281 with commit dc2ce1dfceaa0767211a9d963ddb029ab21c4235
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.10.223 with commit 5661b9c7ec189406c2dde00837aaa4672efb6240
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.15.164 with commit 52c87ab18c76c14d7209646ccb3283b3f5d87b22
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.1.101 with commit ef8fc41cd6f95f9a4a3470f085aecf350569a0b3
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.6.42 with commit 5f5d0799eb0a01d550c21b7894e26b2d9db55763
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.9.9 with commit b6d223942c34057fdfd8f149e763fa823731b224
 	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.10 with commit 3cad1bc010416c6dd780643476bc59ed742436b9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41012
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/locks.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250
 	https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235
 	https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240
 	https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22
 	https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3
 	https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763
 	https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224
 	https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41012: filelock: Remove locks reliably when fcntl/close race is detected

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	filelock: Remove locks reliably when fcntl/close race is detected

	When fcntl_setlk() races with close(), it removes the created lock with
	do_lock_file_wait().
	However, LSMs can allow the first do_lock_file_wait() that created the lock
	while denying the second do_lock_file_wait() that tries to remove the lock.
	Separately, posix_lock_file() could also fail to
	remove a lock due to GFP_KERNEL allocation failure (when splitting a range
	in the middle).

	After the bug has been triggered, use-after-free reads will occur in
	lock_get_status() when userspace reads /proc/locks. This can likely be used
	to read arbitrary kernel memory, but can't corrupt kernel memory.

	Fix it by calling locks_remove_posix() instead, which is designed to
	reliably get rid of POSIX locks associated with the given file and
	files_struct and is also used by filp_flush().

	The Linux kernel CVE team has assigned CVE-2024-41012 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 4.19.319 with commit d30ff33040834c3b9eee29740acd92f9c7ba2250
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.4.281 with commit dc2ce1dfceaa0767211a9d963ddb029ab21c4235
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.10.223 with commit 5661b9c7ec189406c2dde00837aaa4672efb6240
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 5.15.164 with commit 52c87ab18c76c14d7209646ccb3283b3f5d87b22
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.1.101 with commit ef8fc41cd6f95f9a4a3470f085aecf350569a0b3
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.6.42 with commit 5f5d0799eb0a01d550c21b7894e26b2d9db55763
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.9.9 with commit b6d223942c34057fdfd8f149e763fa823731b224
	Issue introduced in 2.6.13 with commit c293621bbf678a3d85e3ed721c3921c8a670610d and fixed in 6.10 with commit 3cad1bc010416c6dd780643476bc59ed742436b9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41012
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/locks.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250
	https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235
	https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240
	https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22
	https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3
	https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763
	https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224
	https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9