cve/published/2024/CVE-2024-46771.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46771: can: bcm: Remove proc entry when dev is unregistered.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 can: bcm: Remove proc entry when dev is unregistered.

 syzkaller reported a warning in bcm_connect() below. [0]

 The repro calls connect() to vxcan1, removes vxcan1, and calls
 connect() with ifindex == 0.

 Calling connect() for a BCM socket allocates a proc entry.
 Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().

 However, removing the bound device resets bcm_sk(sk)->bound to 0
 in bcm_notify().

 The 2nd connect() tries to allocate a proc entry with the same
 name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
 original proc entry.

 Since the proc entry is available only for connect()ed sockets,
 let's clean up the entry when the bound netdev is unregistered.

 [0]:
 proc_dir_entry 'can-bcm/2456' already registered
 WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
 Modules linked in:
 CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
 FS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
  bcm_connect+0x472/0x840 net/can/bcm.c:1673
  __sys_connect_file net/socket.c:2049 [inline]
  __sys_connect+0x5d2/0x690 net/socket.c:2066
  __do_sys_connect net/socket.c:2076 [inline]
  __se_sys_connect net/socket.c:2073 [inline]
  __x64_sys_connect+0x8f/0x100 net/socket.c:2073
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x4b/0x53
 RIP: 0033:0x7fbd708b0e5d
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
 RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
  </TASK>
 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'

 The Linux kernel CVE team has assigned CVE-2024-46771 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 4.19.322 with commit 5c680022c4e28ba18ea500f3e29f0428271afa92
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.4.284 with commit 33ed4ba73caae39f34ab874ba79138badc2c65dd
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.10.226 with commit aec92dbebdbec7567d9f56d7c9296a572b8fd849
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.15.167 with commit 10bfacbd5e8d821011d857bee73310457c9c989a
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.1.110 with commit 3b39dc2901aa7a679a5ca981a3de9f8d5658afe8
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.6.51 with commit 4377b79323df62eb5d310354f19b4d130ff58d50
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.10.10 with commit abb0a615569ec008e8a93d9f3ab2d5b418ea94d4
 	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46771
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/can/bcm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5c680022c4e28ba18ea500f3e29f0428271afa92
 	https://git.kernel.org/stable/c/33ed4ba73caae39f34ab874ba79138badc2c65dd
 	https://git.kernel.org/stable/c/aec92dbebdbec7567d9f56d7c9296a572b8fd849
 	https://git.kernel.org/stable/c/10bfacbd5e8d821011d857bee73310457c9c989a
 	https://git.kernel.org/stable/c/3b39dc2901aa7a679a5ca981a3de9f8d5658afe8
 	https://git.kernel.org/stable/c/4377b79323df62eb5d310354f19b4d130ff58d50
 	https://git.kernel.org/stable/c/abb0a615569ec008e8a93d9f3ab2d5b418ea94d4
 	https://git.kernel.org/stable/c/76fe372ccb81b0c89b6cd2fec26e2f38c958be85
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46771: can: bcm: Remove proc entry when dev is unregistered.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	can: bcm: Remove proc entry when dev is unregistered.

	syzkaller reported a warning in bcm_connect() below. [0]

	The repro calls connect() to vxcan1, removes vxcan1, and calls
	connect() with ifindex == 0.

	Calling connect() for a BCM socket allocates a proc entry.
	Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().

	However, removing the bound device resets bcm_sk(sk)->bound to 0
	in bcm_notify().

	The 2nd connect() tries to allocate a proc entry with the same
	name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
	original proc entry.

	Since the proc entry is available only for connect()ed sockets,
	let's clean up the entry when the bound netdev is unregistered.

	[0]:
	proc_dir_entry 'can-bcm/2456' already registered
	WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
	Modules linked in:
	CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
	RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
	Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
	RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
	RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
	RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
	R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
	FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<TASK>
	proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
	bcm_connect+0x472/0x840 net/can/bcm.c:1673
	__sys_connect_file net/socket.c:2049 [inline]
	__sys_connect+0x5d2/0x690 net/socket.c:2066
	__do_sys_connect net/socket.c:2076 [inline]
	__se_sys_connect net/socket.c:2073 [inline]
	__x64_sys_connect+0x8f/0x100 net/socket.c:2073
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x4b/0x53
	RIP: 0033:0x7fbd708b0e5d
	Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
	RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
	RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
	RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
	RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
	R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
	R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
	</TASK>
	remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'

	The Linux kernel CVE team has assigned CVE-2024-46771 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 4.19.322 with commit 5c680022c4e28ba18ea500f3e29f0428271afa92
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.4.284 with commit 33ed4ba73caae39f34ab874ba79138badc2c65dd
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.10.226 with commit aec92dbebdbec7567d9f56d7c9296a572b8fd849
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 5.15.167 with commit 10bfacbd5e8d821011d857bee73310457c9c989a
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.1.110 with commit 3b39dc2901aa7a679a5ca981a3de9f8d5658afe8
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.6.51 with commit 4377b79323df62eb5d310354f19b4d130ff58d50
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.10.10 with commit abb0a615569ec008e8a93d9f3ab2d5b418ea94d4
	Issue introduced in 2.6.25 with commit ffd980f976e7fd666c2e61bf8ab35107efd11828 and fixed in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46771
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/can/bcm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5c680022c4e28ba18ea500f3e29f0428271afa92
	https://git.kernel.org/stable/c/33ed4ba73caae39f34ab874ba79138badc2c65dd
	https://git.kernel.org/stable/c/aec92dbebdbec7567d9f56d7c9296a572b8fd849
	https://git.kernel.org/stable/c/10bfacbd5e8d821011d857bee73310457c9c989a
	https://git.kernel.org/stable/c/3b39dc2901aa7a679a5ca981a3de9f8d5658afe8
	https://git.kernel.org/stable/c/4377b79323df62eb5d310354f19b4d130ff58d50
	https://git.kernel.org/stable/c/abb0a615569ec008e8a93d9f3ab2d5b418ea94d4
	https://git.kernel.org/stable/c/76fe372ccb81b0c89b6cd2fec26e2f38c958be85