cve/published/2024/CVE-2024-26608.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26608: ksmbd: fix global oob in ksmbd_nl_policy

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ksmbd: fix global oob in ksmbd_nl_policy

 Similar to a reported issue (check the commit b33fb5b801c6 ("net:
 qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds
 another global out-of-bounds read for policy ksmbd_nl_policy. See bug
 trace below:

 ==================================================================
 BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
 BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
 Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810

 CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G                 N 6.1.0 #3
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
  print_address_description mm/kasan/report.c:284 [inline]
  print_report+0x172/0x475 mm/kasan/report.c:395
  kasan_report+0xbb/0x1c0 mm/kasan/report.c:495
  validate_nla lib/nlattr.c:386 [inline]
  __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
  __nla_parse+0x3e/0x50 lib/nlattr.c:697
  __nlmsg_parse include/net/netlink.h:748 [inline]
  genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565
  genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734
  genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
  genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850
  netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540
  genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
  netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
  netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345
  netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921
  sock_sendmsg_nosec net/socket.c:714 [inline]
  sock_sendmsg+0x154/0x190 net/socket.c:734
  ____sys_sendmsg+0x6df/0x840 net/socket.c:2482
  ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
  __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 RIP: 0033:0x7fdd66a8f359
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359
 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
 RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
 R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000
  </TASK>

 The buggy address belongs to the variable:
  ksmbd_nl_policy+0x100/0xa80

 The buggy address belongs to the physical page:
 page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b
 flags: 0x200000000001000(reserved|node=0|zone=2)
 raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000
 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9
                    ^
  ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05
  ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9
 ==================================================================

 To fix it, add a placeholder named __KSMBD_EVENT_MAX and let
 KSMBD_EVENT_MAX to be its original value - 1 according to what other
 netlink families do. Also change two sites that refer the
 KSMBD_EVENT_MAX to correct value.

 The Linux kernel CVE team has assigned CVE-2024-26608 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 5.15.149 with commit aaa1f1a2ee80888c12ae2783f3a0be10e14067c5
 	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.1.76 with commit 2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a
 	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.6.15 with commit 9863a53100f47652755545c2bd43e14a1855104d
 	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.7.3 with commit 6993328a4cd62a24df254b587c0796a4a1eecc95
 	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.8 with commit ebeae8adf89d9a82359f6659b1663d09beec2faa

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26608
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/smb/server/ksmbd_netlink.h
 	fs/smb/server/transport_ipc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/aaa1f1a2ee80888c12ae2783f3a0be10e14067c5
 	https://git.kernel.org/stable/c/2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a
 	https://git.kernel.org/stable/c/9863a53100f47652755545c2bd43e14a1855104d
 	https://git.kernel.org/stable/c/6993328a4cd62a24df254b587c0796a4a1eecc95
 	https://git.kernel.org/stable/c/ebeae8adf89d9a82359f6659b1663d09beec2faa
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26608: ksmbd: fix global oob in ksmbd_nl_policy

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ksmbd: fix global oob in ksmbd_nl_policy

	Similar to a reported issue (check the commit b33fb5b801c6 ("net:
	qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer finds
	another global out-of-bounds read for policy ksmbd_nl_policy. See bug
	trace below:

	==================================================================
	BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline]
	BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
	Read of size 1 at addr ffffffff8f24b100 by task syz-executor.1/62810

	CPU: 0 PID: 62810 Comm: syz-executor.1 Tainted: G N 6.1.0 #3
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
	print_address_description mm/kasan/report.c:284 [inline]
	print_report+0x172/0x475 mm/kasan/report.c:395
	kasan_report+0xbb/0x1c0 mm/kasan/report.c:495
	validate_nla lib/nlattr.c:386 [inline]
	__nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600
	__nla_parse+0x3e/0x50 lib/nlattr.c:697
	__nlmsg_parse include/net/netlink.h:748 [inline]
	genl_family_rcv_msg_attrs_parse.constprop.0+0x1b0/0x290 net/netlink/genetlink.c:565
	genl_family_rcv_msg_doit+0xda/0x330 net/netlink/genetlink.c:734
	genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
	genl_rcv_msg+0x441/0x780 net/netlink/genetlink.c:850
	netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540
	genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
	netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
	netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345
	netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921
	sock_sendmsg_nosec net/socket.c:714 [inline]
	sock_sendmsg+0x154/0x190 net/socket.c:734
	____sys_sendmsg+0x6df/0x840 net/socket.c:2482
	___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
	__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	RIP: 0033:0x7fdd66a8f359
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007fdd65e00168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 00007fdd66bbcf80 RCX: 00007fdd66a8f359
	RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000003
	RBP: 00007fdd66ada493 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 00007ffc84b81aff R14: 00007fdd65e00300 R15: 0000000000022000
	</TASK>

	The buggy address belongs to the variable:
	ksmbd_nl_policy+0x100/0xa80

	The buggy address belongs to the physical page:
	page:0000000034f47940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ccc4b
	flags: 0x200000000001000(reserved\|node=0\|zone=2)
	raw: 0200000000001000 ffffea00073312c8 ffffea00073312c8 0000000000000000
	raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected

	Memory state around the buggy address:
	ffffffff8f24b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	ffffffff8f24b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffffffff8f24b100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 07 f9
	^
	ffffffff8f24b180: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 05
	ffffffff8f24b200: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 04 f9
	==================================================================

	To fix it, add a placeholder named __KSMBD_EVENT_MAX and let
	KSMBD_EVENT_MAX to be its original value - 1 according to what other
	netlink families do. Also change two sites that refer the
	KSMBD_EVENT_MAX to correct value.

	The Linux kernel CVE team has assigned CVE-2024-26608 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 5.15.149 with commit aaa1f1a2ee80888c12ae2783f3a0be10e14067c5
	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.1.76 with commit 2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a
	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.6.15 with commit 9863a53100f47652755545c2bd43e14a1855104d
	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.7.3 with commit 6993328a4cd62a24df254b587c0796a4a1eecc95
	Issue introduced in 5.15 with commit 0626e6641f6b467447c81dd7678a69c66f7746cf and fixed in 6.8 with commit ebeae8adf89d9a82359f6659b1663d09beec2faa

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26608
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/smb/server/ksmbd_netlink.h
	fs/smb/server/transport_ipc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/aaa1f1a2ee80888c12ae2783f3a0be10e14067c5
	https://git.kernel.org/stable/c/2c939c74ef0b74e99b92e32edc2a59f9b9ca3d5a
	https://git.kernel.org/stable/c/9863a53100f47652755545c2bd43e14a1855104d
	https://git.kernel.org/stable/c/6993328a4cd62a24df254b587c0796a4a1eecc95
	https://git.kernel.org/stable/c/ebeae8adf89d9a82359f6659b1663d09beec2faa