cve/published/2024/CVE-2024-50279.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm cache: fix out-of-bounds access to the dirty bitset when resizing

 dm-cache checks the dirty bits of the cache blocks to be dropped when
 shrinking the fast device, but an index bug in bitset iteration causes
 out-of-bounds access.

 Reproduce steps:

 1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)

 dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
 dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
 dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
 dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
 dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
 /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

 2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
    access to the dirty bitset (offset 0x80)

 dmsetup suspend cache
 dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
 dmsetup resume cdata
 dmsetup resume cache

 KASAN reports:

   BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
   Read of size 8 at addr ffffc900000f3080 by task dmsetup/131

   (...snip...)
   The buggy address belongs to the virtual mapping at
    [ffffc900000f3000, ffffc900000f5000) created by:
    cache_ctr+0x176a/0x35f0

   (...snip...)
   Memory state around the buggy address:
    ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                      ^
    ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

 Fix by making the index post-incremented.

 The Linux kernel CVE team has assigned CVE-2024-50279 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 4.19.324 with commit 4fa4feb873cea0e9d6ff883b37cca6f33169d8b4
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.4.286 with commit 8501e38dc9e0060814c4085815fc83da3e6d43bf
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.10.230 with commit ee1f74925717ab36f6a091104c170639501ce818
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.15.172 with commit ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.1.117 with commit 56507203e1b6127967ec2b51fb0b23a0d4af1334
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.6.61 with commit e57648ce325fa405fe6bbd0e6a618ced7c301a2d
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.11.8 with commit 3b02c40ff10fdf83cc545850db208de855ebe22c
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.12 with commit 792227719725497ce10a8039803bec13f89f8910

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50279
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-cache-target.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4fa4feb873cea0e9d6ff883b37cca6f33169d8b4
 	https://git.kernel.org/stable/c/8501e38dc9e0060814c4085815fc83da3e6d43bf
 	https://git.kernel.org/stable/c/ee1f74925717ab36f6a091104c170639501ce818
 	https://git.kernel.org/stable/c/ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f
 	https://git.kernel.org/stable/c/56507203e1b6127967ec2b51fb0b23a0d4af1334
 	https://git.kernel.org/stable/c/e57648ce325fa405fe6bbd0e6a618ced7c301a2d
 	https://git.kernel.org/stable/c/3b02c40ff10fdf83cc545850db208de855ebe22c
 	https://git.kernel.org/stable/c/792227719725497ce10a8039803bec13f89f8910
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm cache: fix out-of-bounds access to the dirty bitset when resizing

	dm-cache checks the dirty bits of the cache blocks to be dropped when
	shrinking the fast device, but an index bug in bitset iteration causes
	out-of-bounds access.

	Reproduce steps:

	1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)

	dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
	dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
	dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
	dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
	dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
	/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

	2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
	access to the dirty bitset (offset 0x80)

	dmsetup suspend cache
	dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
	dmsetup resume cdata
	dmsetup resume cache

	KASAN reports:

	BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
	Read of size 8 at addr ffffc900000f3080 by task dmsetup/131

	(...snip...)
	The buggy address belongs to the virtual mapping at
	[ffffc900000f3000, ffffc900000f5000) created by:
	cache_ctr+0x176a/0x35f0

	(...snip...)
	Memory state around the buggy address:
	ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	^
	ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

	Fix by making the index post-incremented.

	The Linux kernel CVE team has assigned CVE-2024-50279 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 4.19.324 with commit 4fa4feb873cea0e9d6ff883b37cca6f33169d8b4
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.4.286 with commit 8501e38dc9e0060814c4085815fc83da3e6d43bf
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.10.230 with commit ee1f74925717ab36f6a091104c170639501ce818
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.15.172 with commit ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.1.117 with commit 56507203e1b6127967ec2b51fb0b23a0d4af1334
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.6.61 with commit e57648ce325fa405fe6bbd0e6a618ced7c301a2d
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.11.8 with commit 3b02c40ff10fdf83cc545850db208de855ebe22c
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.12 with commit 792227719725497ce10a8039803bec13f89f8910

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50279
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-cache-target.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4fa4feb873cea0e9d6ff883b37cca6f33169d8b4
	https://git.kernel.org/stable/c/8501e38dc9e0060814c4085815fc83da3e6d43bf
	https://git.kernel.org/stable/c/ee1f74925717ab36f6a091104c170639501ce818
	https://git.kernel.org/stable/c/ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f
	https://git.kernel.org/stable/c/56507203e1b6127967ec2b51fb0b23a0d4af1334
	https://git.kernel.org/stable/c/e57648ce325fa405fe6bbd0e6a618ced7c301a2d
	https://git.kernel.org/stable/c/3b02c40ff10fdf83cc545850db208de855ebe22c
	https://git.kernel.org/stable/c/792227719725497ce10a8039803bec13f89f8910