cve/published/2024/CVE-2024-53173.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 NFSv4.0: Fix a use-after-free problem in the asynchronous open()

 Yang Erkun reports that when two threads are opening files at the same
 time, and are forced to abort before a reply is seen, then the call to
 nfs_release_seqid() in nfs4_opendata_free() can result in a
 use-after-free of the pointer to the defunct rpc task of the other
 thread.
 The fix is to ensure that if the RPC call is aborted before the call to
 nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()
 in nfs4_open_release() before the rpc_task is freed.

 The Linux kernel CVE team has assigned CVE-2024-53173 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 4.19.325 with commit 1cfae9575296f5040cdc84b0730e79078c081d2d
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.4.287 with commit 7bf6bf130af8ee7d93a99c28a7512df3017ec759
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.10.231 with commit 5237a297ffd374a1c4157a53543b7a69d7bbbc03
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.15.174 with commit 2ab9639f16b05d948066a6c4cf19a0fdc61046ff
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.1.120 with commit ba6e6c04f60fe52d91520ac4d749d372d4c74521
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.6.64 with commit 229a30ed42bb87bcb044c5523fabd9e4f0e75648
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.11.11 with commit e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.12.2 with commit b56ae8e715557b4fc227c9381d2e681ffafe7b15
 	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.13 with commit 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53173
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfs/nfs4proc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d
 	https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759
 	https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03
 	https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff
 	https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521
 	https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648
 	https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77
 	https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15
 	https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	NFSv4.0: Fix a use-after-free problem in the asynchronous open()

	Yang Erkun reports that when two threads are opening files at the same
	time, and are forced to abort before a reply is seen, then the call to
	nfs_release_seqid() in nfs4_opendata_free() can result in a
	use-after-free of the pointer to the defunct rpc task of the other
	thread.
	The fix is to ensure that if the RPC call is aborted before the call to
	nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()
	in nfs4_open_release() before the rpc_task is freed.

	The Linux kernel CVE team has assigned CVE-2024-53173 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 4.19.325 with commit 1cfae9575296f5040cdc84b0730e79078c081d2d
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.4.287 with commit 7bf6bf130af8ee7d93a99c28a7512df3017ec759
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.10.231 with commit 5237a297ffd374a1c4157a53543b7a69d7bbbc03
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 5.15.174 with commit 2ab9639f16b05d948066a6c4cf19a0fdc61046ff
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.1.120 with commit ba6e6c04f60fe52d91520ac4d749d372d4c74521
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.6.64 with commit 229a30ed42bb87bcb044c5523fabd9e4f0e75648
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.11.11 with commit e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.12.2 with commit b56ae8e715557b4fc227c9381d2e681ffafe7b15
	Issue introduced in 2.6.16 with commit 24ac23ab88df5b21b5b2df8cde748bf99b289099 and fixed in 6.13 with commit 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53173
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfs/nfs4proc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d
	https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759
	https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03
	https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff
	https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521
	https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648
	https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77
	https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15
	https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889