cve/published/2024/CVE-2024-49982.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49982: aoe: fix the potential use-after-free problem in more places

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 aoe: fix the potential use-after-free problem in more places

 For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
 use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
 instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
 into use-after-free.

 Then Nicolai Stange found more places in aoe have potential use-after-free
 problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
 and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
 packet to tx queue. So they should also use dev_hold() to increase the
 refcnt of skb->dev.

 On the other hand, moving dev_put() to tx() causes that the refcnt of
 skb->dev be reduced to a negative value, because corresponding
 dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
 probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

 The Linux kernel CVE team has assigned CVE-2024-49982 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.311 with commit ad80c34944d7175fa1f5c7a55066020002921a99 and fixed in 4.19.323 with commit 12f7b89dd72b25da4eeaa22097877963cad6418e
 	Issue introduced in 5.4.273 with commit 1a54aa506b3b2f31496731039e49778f54eee881 and fixed in 5.4.285 with commit a786265aecf39015418e4f930cc1c14603a01490
 	Issue introduced in 5.10.214 with commit faf0b4c5e00bb680e8e43ac936df24d3f48c8e65 and fixed in 5.10.227 with commit f63461af2c1a86af4217910e47a5c46e3372e645
 	Issue introduced in 5.15.153 with commit 7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4 and fixed in 5.15.168 with commit 07b418d50ccbbca7e5d87a3a0d41d436cefebf79
 	Issue introduced in 6.1.83 with commit 74ca3ef68d2f449bc848c0a814cefc487bf755fa and fixed in 6.1.113 with commit bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
 	Issue introduced in 6.6.23 with commit eb48680b0255a9e8a9bdc93d6a55b11c31262e62 and fixed in 6.6.55 with commit acc5103a0a8c200a52af7d732c36a8477436a3d3
 	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.10.14 with commit 89d9a69ae0c667e4d9d028028e2dcc837bae626f
 	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.11.3 with commit 8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
 	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.12 with commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
 	Issue introduced in 6.7.11 with commit 079cba4f4e307c69878226fdf5228c20aa1c969c
 	Issue introduced in 6.8.2 with commit a16fbb80064634b254520a46395e36b87ca4731e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49982
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/block/aoe/aoecmd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e
 	https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490
 	https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
 	https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
 	https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
 	https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
 	https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
 	https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
 	https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49982: aoe: fix the potential use-after-free problem in more places

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	aoe: fix the potential use-after-free problem in more places

	For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
	use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
	instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
	into use-after-free.

	Then Nicolai Stange found more places in aoe have potential use-after-free
	problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
	and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
	packet to tx queue. So they should also use dev_hold() to increase the
	refcnt of skb->dev.

	On the other hand, moving dev_put() to tx() causes that the refcnt of
	skb->dev be reduced to a negative value, because corresponding
	dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
	probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

	The Linux kernel CVE team has assigned CVE-2024-49982 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.311 with commit ad80c34944d7175fa1f5c7a55066020002921a99 and fixed in 4.19.323 with commit 12f7b89dd72b25da4eeaa22097877963cad6418e
	Issue introduced in 5.4.273 with commit 1a54aa506b3b2f31496731039e49778f54eee881 and fixed in 5.4.285 with commit a786265aecf39015418e4f930cc1c14603a01490
	Issue introduced in 5.10.214 with commit faf0b4c5e00bb680e8e43ac936df24d3f48c8e65 and fixed in 5.10.227 with commit f63461af2c1a86af4217910e47a5c46e3372e645
	Issue introduced in 5.15.153 with commit 7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4 and fixed in 5.15.168 with commit 07b418d50ccbbca7e5d87a3a0d41d436cefebf79
	Issue introduced in 6.1.83 with commit 74ca3ef68d2f449bc848c0a814cefc487bf755fa and fixed in 6.1.113 with commit bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
	Issue introduced in 6.6.23 with commit eb48680b0255a9e8a9bdc93d6a55b11c31262e62 and fixed in 6.6.55 with commit acc5103a0a8c200a52af7d732c36a8477436a3d3
	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.10.14 with commit 89d9a69ae0c667e4d9d028028e2dcc837bae626f
	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.11.3 with commit 8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
	Issue introduced in 6.9 with commit f98364e926626c678fb4b9004b75cacf92ff0662 and fixed in 6.12 with commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
	Issue introduced in 6.7.11 with commit 079cba4f4e307c69878226fdf5228c20aa1c969c
	Issue introduced in 6.8.2 with commit a16fbb80064634b254520a46395e36b87ca4731e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49982
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/block/aoe/aoecmd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e
	https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490
	https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
	https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
	https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
	https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
	https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
	https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
	https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3