cve/published/2024/CVE-2024-46786.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46786: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

 The fscache_cookie_lru_timer is initialized when the fscache module
 is inserted, but is not deleted when the fscache module is removed.
 If timer_reduce() is called before removing the fscache module,
 the fscache_cookie_lru_timer will be added to the timer list of
 the current cpu. Afterwards, a use-after-free will be triggered
 in the softIRQ after removing the fscache module, as follows:

 ==================================================================
 BUG: unable to handle page fault for address: fffffbfff803c9e9
  PF: supervisor read access in kernel mode
  PF: error_code(0x0000) - not-present page
 PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0
 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855
 Tainted: [W]=WARN
 RIP: 0010:__run_timer_base.part.0+0x254/0x8a0
 Call Trace:
  <IRQ>
  tmigr_handle_remote_up+0x627/0x810
  __walk_groups.isra.0+0x47/0x140
  tmigr_handle_remote+0x1fa/0x2f0
  handle_softirqs+0x180/0x590
  irq_exit_rcu+0x84/0xb0
  sysvec_apic_timer_interrupt+0x6e/0x90
  </IRQ>
  <TASK>
  asm_sysvec_apic_timer_interrupt+0x1a/0x20
 RIP: 0010:default_idle+0xf/0x20
  default_idle_call+0x38/0x60
  do_idle+0x2b5/0x300
  cpu_startup_entry+0x54/0x60
  start_secondary+0x20d/0x280
  common_startup_64+0x13e/0x148
  </TASK>
 Modules linked in: [last unloaded: netfs]
 ==================================================================

 Therefore delete fscache_cookie_lru_timer when removing the fscahe module.

 The Linux kernel CVE team has assigned CVE-2024-46786 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.6.51 with commit e0d724932ad12e3528f4ce97fc0f6078d0cce4bc
 	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.10.10 with commit 0a11262549ac2ac6fb98c7cd40a67136817e5a52
 	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.11 with commit 72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46786
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/netfs/fscache_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e0d724932ad12e3528f4ce97fc0f6078d0cce4bc
 	https://git.kernel.org/stable/c/0a11262549ac2ac6fb98c7cd40a67136817e5a52
 	https://git.kernel.org/stable/c/72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46786: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

	The fscache_cookie_lru_timer is initialized when the fscache module
	is inserted, but is not deleted when the fscache module is removed.
	If timer_reduce() is called before removing the fscache module,
	the fscache_cookie_lru_timer will be added to the timer list of
	the current cpu. Afterwards, a use-after-free will be triggered
	in the softIRQ after removing the fscache module, as follows:

	==================================================================
	BUG: unable to handle page fault for address: fffffbfff803c9e9
	PF: supervisor read access in kernel mode
	PF: error_code(0x0000) - not-present page
	PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0
	Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
	CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855
	Tainted: [W]=WARN
	RIP: 0010:__run_timer_base.part.0+0x254/0x8a0
	Call Trace:
	<IRQ>
	tmigr_handle_remote_up+0x627/0x810
	__walk_groups.isra.0+0x47/0x140
	tmigr_handle_remote+0x1fa/0x2f0
	handle_softirqs+0x180/0x590
	irq_exit_rcu+0x84/0xb0
	sysvec_apic_timer_interrupt+0x6e/0x90
	</IRQ>
	<TASK>
	asm_sysvec_apic_timer_interrupt+0x1a/0x20
	RIP: 0010:default_idle+0xf/0x20
	default_idle_call+0x38/0x60
	do_idle+0x2b5/0x300
	cpu_startup_entry+0x54/0x60
	start_secondary+0x20d/0x280
	common_startup_64+0x13e/0x148
	</TASK>
	Modules linked in: [last unloaded: netfs]
	==================================================================

	Therefore delete fscache_cookie_lru_timer when removing the fscahe module.

	The Linux kernel CVE team has assigned CVE-2024-46786 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.6.51 with commit e0d724932ad12e3528f4ce97fc0f6078d0cce4bc
	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.10.10 with commit 0a11262549ac2ac6fb98c7cd40a67136817e5a52
	Issue introduced in 5.17 with commit 12bb21a29c19aae50cfad4e2bb5c943108f34a7d and fixed in 6.11 with commit 72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46786
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/netfs/fscache_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e0d724932ad12e3528f4ce97fc0f6078d0cce4bc
	https://git.kernel.org/stable/c/0a11262549ac2ac6fb98c7cd40a67136817e5a52
	https://git.kernel.org/stable/c/72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f