cve/published/2024/CVE-2024-44947.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44947: fuse: Initialize beyond-EOF page contents before setting uptodate

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fuse: Initialize beyond-EOF page contents before setting uptodate

 fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
 zeroing (because it can be used to change partial page contents).

 So fuse_notify_store() must be more careful to fully initialize page
 contents (including parts of the page that are beyond end-of-file)
 before marking the page uptodate.

 The current code can leave beyond-EOF page contents uninitialized, which
 makes these uninitialized page contents visible to userspace via mmap().

 This is an information leak, but only affects systems which do not
 enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
 corresponding kernel command line parameter).

 The Linux kernel CVE team has assigned CVE-2024-44947 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 4.19.321 with commit 49934861514d36d0995be8e81bb3312a499d8d9a
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.4.283 with commit 33168db352c7b56ae18aa55c2cae1a1c5905d30e
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.10.225 with commit 4690e2171f651e2b415e3941ce17f2f7b813aff6
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.15.166 with commit 8c78303eafbf85a728dd84d1750e89240c677dd9
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.1.107 with commit 831433527773e665bdb635ab5783d0b95d1246f4
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.6.48 with commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.10.7 with commit 18a067240817bee8a9360539af5d79a4bf5398a5
 	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.11 with commit 3c0da3d163eb32f1f91891efaade027fa9b245b9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44947
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/fuse/dev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
 	https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
 	https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
 	https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
 	https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
 	https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
 	https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
 	https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
 	https://project-zero.issues.chromium.org/issues/42451729
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44947: fuse: Initialize beyond-EOF page contents before setting uptodate

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fuse: Initialize beyond-EOF page contents before setting uptodate

	fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
	zeroing (because it can be used to change partial page contents).

	So fuse_notify_store() must be more careful to fully initialize page
	contents (including parts of the page that are beyond end-of-file)
	before marking the page uptodate.

	The current code can leave beyond-EOF page contents uninitialized, which
	makes these uninitialized page contents visible to userspace via mmap().

	This is an information leak, but only affects systems which do not
	enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
	corresponding kernel command line parameter).

	The Linux kernel CVE team has assigned CVE-2024-44947 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 4.19.321 with commit 49934861514d36d0995be8e81bb3312a499d8d9a
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.4.283 with commit 33168db352c7b56ae18aa55c2cae1a1c5905d30e
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.10.225 with commit 4690e2171f651e2b415e3941ce17f2f7b813aff6
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 5.15.166 with commit 8c78303eafbf85a728dd84d1750e89240c677dd9
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.1.107 with commit 831433527773e665bdb635ab5783d0b95d1246f4
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.6.48 with commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.10.7 with commit 18a067240817bee8a9360539af5d79a4bf5398a5
	Issue introduced in 2.6.36 with commit a1d75f258230b75d46aecdf28b2e732413028863 and fixed in 6.11 with commit 3c0da3d163eb32f1f91891efaade027fa9b245b9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44947
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/fuse/dev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
	https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
	https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
	https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
	https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
	https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
	https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
	https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
	https://project-zero.issues.chromium.org/issues/42451729