| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26868: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| nfs: fix panic when nfs4_ff_layout_prepare_ds() fails |
| |
| We've been seeing the following panic in production |
| |
| BUG: kernel NULL pointer dereference, address: 0000000000000065 |
| PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 |
| RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] |
| Call Trace: |
| <TASK> |
| ? __die+0x78/0xc0 |
| ? page_fault_oops+0x286/0x380 |
| ? __rpc_execute+0x2c3/0x470 [sunrpc] |
| ? rpc_new_task+0x42/0x1c0 [sunrpc] |
| ? exc_page_fault+0x5d/0x110 |
| ? asm_exc_page_fault+0x22/0x30 |
| ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] |
| ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] |
| ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] |
| pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] |
| pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] |
| ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] |
| nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] |
| ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] |
| __nfs_pageio_add_request+0x154/0x6c0 [nfs] |
| nfs_pageio_add_request+0x26b/0x380 [nfs] |
| nfs_do_writepage+0x111/0x1e0 [nfs] |
| nfs_writepages_callback+0xf/0x30 [nfs] |
| write_cache_pages+0x17f/0x380 |
| ? nfs_pageio_init_write+0x50/0x50 [nfs] |
| ? nfs_writepages+0x6d/0x210 [nfs] |
| ? nfs_writepages+0x6d/0x210 [nfs] |
| nfs_writepages+0x125/0x210 [nfs] |
| do_writepages+0x67/0x220 |
| ? generic_perform_write+0x14b/0x210 |
| filemap_fdatawrite_wbc+0x5b/0x80 |
| file_write_and_wait_range+0x6d/0xc0 |
| nfs_file_fsync+0x81/0x170 [nfs] |
| ? nfs_file_mmap+0x60/0x60 [nfs] |
| __x64_sys_fsync+0x53/0x90 |
| do_syscall_64+0x3d/0x90 |
| entry_SYSCALL_64_after_hwframe+0x46/0xb0 |
| |
| Inspecting the core with drgn I was able to pull this |
| |
| >>> prog.crashed_thread().stack_trace()[0] |
| #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 |
| >>> prog.crashed_thread().stack_trace()[0]['idx'] |
| (u32)1 |
| >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds |
| (struct nfs4_ff_layout_ds *)0xffffffffffffffed |
| |
| This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() |
| which could error out initializing the mirror_ds, and then we go to |
| clean it all up and our check is only for if (!mirror->mirror_ds). This |
| is inconsistent with the rest of the users of mirror_ds, which have |
| |
| if (IS_ERR_OR_NULL(mirror_ds)) |
| |
| to keep from tripping over this exact scenario. Fix this up in |
| ff_layout_cancel_io() to make sure we don't panic when we get an error. |
| I also spot checked all the other instances of checking mirror_ds and we |
| appear to be doing the correct checks everywhere, only unconditionally |
| dereferencing mirror_ds when we know it would be valid. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26868 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.1 with commit b739a5bd9d9f18cc69dced8db128ef7206e000cd and fixed in 6.1.83 with commit 31db25e3141b20e2a76a9f219eeca52e3cab126c |
| Issue introduced in 6.1 with commit b739a5bd9d9f18cc69dced8db128ef7206e000cd and fixed in 6.6.23 with commit 7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5 |
| Issue introduced in 6.1 with commit b739a5bd9d9f18cc69dced8db128ef7206e000cd and fixed in 6.7.11 with commit 5ada9016b1217498fad876a3d5b07645cc955608 |
| Issue introduced in 6.1 with commit b739a5bd9d9f18cc69dced8db128ef7206e000cd and fixed in 6.8.2 with commit dac068f164ad05b35e7c0be13f138c3f6adca58f |
| Issue introduced in 6.1 with commit b739a5bd9d9f18cc69dced8db128ef7206e000cd and fixed in 6.9 with commit 719fcafe07c12646691bd62d7f8d94d657fa0766 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26868 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/nfs/flexfilelayout/flexfilelayout.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/31db25e3141b20e2a76a9f219eeca52e3cab126c |
| https://git.kernel.org/stable/c/7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5 |
| https://git.kernel.org/stable/c/5ada9016b1217498fad876a3d5b07645cc955608 |
| https://git.kernel.org/stable/c/dac068f164ad05b35e7c0be13f138c3f6adca58f |
| https://git.kernel.org/stable/c/719fcafe07c12646691bd62d7f8d94d657fa0766 |
