| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-57929: dm array: fix releasing a faulty array block twice in dm_array_cursor_end |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| dm array: fix releasing a faulty array block twice in dm_array_cursor_end |
| |
| When dm_bm_read_lock() fails due to locking or checksum errors, it |
| releases the faulty block implicitly while leaving an invalid output |
| pointer behind. The caller of dm_bm_read_lock() should not operate on |
| this invalid dm_block pointer, or it will lead to undefined result. |
| For example, the dm_array_cursor incorrectly caches the invalid pointer |
| on reading a faulty array block, causing a double release in |
| dm_array_cursor_end(), then hitting the BUG_ON in dm-bufio cache_put(). |
| |
| Reproduce steps: |
| |
| 1. initialize a cache device |
| |
| dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" |
| dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" |
| dmsetup create corig --table "0 524288 linear /dev/sdc $262144" |
| dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 |
| dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ |
| /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" |
| |
| 2. wipe the second array block offline |
| |
| dmsteup remove cache cmeta cdata corig |
| mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ |
| 2>/dev/null | hexdump -e '1/8 "%u\n"') |
| ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ |
| 2>/dev/null | hexdump -e '1/8 "%u\n"') |
| dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock |
| |
| 3. try reopen the cache device |
| |
| dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" |
| dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" |
| dmsetup create corig --table "0 524288 linear /dev/sdc $262144" |
| dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ |
| /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" |
| |
| Kernel logs: |
| |
| (snip) |
| device-mapper: array: array_block_check failed: blocknr 0 != wanted 10 |
| device-mapper: block manager: array validator check failed for block 10 |
| device-mapper: array: get_ablock failed |
| device-mapper: cache metadata: dm_array_cursor_next for mapping failed |
| ------------[ cut here ]------------ |
| kernel BUG at drivers/md/dm-bufio.c:638! |
| |
| Fix by setting the cached block pointer to NULL on errors. |
| |
| In addition to the reproducer described above, this fix can be |
| verified using the "array_cursor/damaged" test in dm-unit: |
| dm-unit run /pdata/array_cursor/damaged --kernel-dir <KERNEL_DIR> |
| |
| The Linux kernel CVE team has assigned CVE-2024-57929 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 5.4.290 with commit 9c7c03d0e926762adf3a3a0ba86156fb5e19538b |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 5.10.234 with commit fc1ef07c3522e257e32702954f265debbcb096a7 |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 5.15.177 with commit 738994872d77e189b2d13c501a1d145e95d98f46 |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 6.1.125 with commit e477021d252c007f0c6d45b5d13d341efed03979 |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 6.6.72 with commit 6002bec5354f86d1a2df21468f68e3ec03ede9da |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 6.12.10 with commit 017c4470bff53585370028fec9341247bad358ff |
| Issue introduced in 4.9 with commit fdd1315aa5f022fe6574efdc2d9535f75a0ee255 and fixed in 6.13 with commit f2893c0804d86230ffb8f1c8703fdbb18648abc8 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-57929 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/md/persistent-data/dm-array.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/9c7c03d0e926762adf3a3a0ba86156fb5e19538b |
| https://git.kernel.org/stable/c/fc1ef07c3522e257e32702954f265debbcb096a7 |
| https://git.kernel.org/stable/c/738994872d77e189b2d13c501a1d145e95d98f46 |
| https://git.kernel.org/stable/c/e477021d252c007f0c6d45b5d13d341efed03979 |
| https://git.kernel.org/stable/c/6002bec5354f86d1a2df21468f68e3ec03ede9da |
| https://git.kernel.org/stable/c/017c4470bff53585370028fec9341247bad358ff |
| https://git.kernel.org/stable/c/f2893c0804d86230ffb8f1c8703fdbb18648abc8 |
