cve/published/2024/CVE-2024-26958.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26958: nfs: fix UAF in direct writes

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfs: fix UAF in direct writes

 In production we have been hitting the following warning consistently

 ------------[ cut here ]------------
 refcount_t: underflow; use-after-free.
 WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0
 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]
 RIP: 0010:refcount_warn_saturate+0x9c/0xe0
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? __warn+0x9f/0x130
  ? refcount_warn_saturate+0x9c/0xe0
  ? report_bug+0xcc/0x150
  ? handle_bug+0x3d/0x70
  ? exc_invalid_op+0x16/0x40
  ? asm_exc_invalid_op+0x16/0x20
  ? refcount_warn_saturate+0x9c/0xe0
  nfs_direct_write_schedule_work+0x237/0x250 [nfs]
  process_one_work+0x12f/0x4a0
  worker_thread+0x14e/0x3b0
  ? ZSTD_getCParams_internal+0x220/0x220
  kthread+0xdc/0x120
  ? __btf_name_valid+0xa0/0xa0
  ret_from_fork+0x1f/0x30

 This is because we're completing the nfs_direct_request twice in a row.

 The source of this is when we have our commit requests to submit, we
 process them and send them off, and then in the completion path for the
 commit requests we have

 if (nfs_commit_end(cinfo.mds))
 	nfs_direct_write_complete(dreq);

 However since we're submitting asynchronous requests we sometimes have
 one that completes before we submit the next one, so we end up calling
 complete on the nfs_direct_request twice.

 The only other place we use nfs_generic_commit_list() is in
 __nfs_commit_inode, which wraps this call in a

 nfs_commit_begin();
 nfs_commit_end();

 Which is a common pattern for this style of completion handling, one
 that is also repeated in the direct code with get_dreq()/put_dreq()
 calls around where we process events as well as in the completion paths.

 Fix this by using the same pattern for the commit requests.

 Before with my 200 node rocksdb stress running this warning would pop
 every 10ish minutes.  With my patch the stress test has been running for
 several hours without popping.

 The Linux kernel CVE team has assigned CVE-2024-26958 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 5.10.215 with commit 4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 5.15.154 with commit 80d24b308b7ee7037fc90d8ac99f6f78df0a256f
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.1.84 with commit 3abc2d160ed8213948b147295d77d44a22c88fa3
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.6.24 with commit e25447c35f8745337ea8bc0c9697fcac14df8605
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.7.12 with commit 1daf52b5ffb24870fbeda20b4967526d8f9e12ab
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.8.3 with commit cf54f66e1dd78990ec6b32177bca7e6ea2144a95
 	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.9 with commit 17f46b803d4f23c66cacce81db35fef3adb8f2af

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26958
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfs/direct.c
 	fs/nfs/write.c
 	include/linux/nfs_fs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
 	https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f
 	https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3
 	https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605
 	https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab
 	https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95
 	https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26958: nfs: fix UAF in direct writes

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfs: fix UAF in direct writes

	In production we have been hitting the following warning consistently

	------------[ cut here ]------------
	refcount_t: underflow; use-after-free.
	WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0
	Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]
	RIP: 0010:refcount_warn_saturate+0x9c/0xe0
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __warn+0x9f/0x130
	? refcount_warn_saturate+0x9c/0xe0
	? report_bug+0xcc/0x150
	? handle_bug+0x3d/0x70
	? exc_invalid_op+0x16/0x40
	? asm_exc_invalid_op+0x16/0x20
	? refcount_warn_saturate+0x9c/0xe0
	nfs_direct_write_schedule_work+0x237/0x250 [nfs]
	process_one_work+0x12f/0x4a0
	worker_thread+0x14e/0x3b0
	? ZSTD_getCParams_internal+0x220/0x220
	kthread+0xdc/0x120
	? __btf_name_valid+0xa0/0xa0
	ret_from_fork+0x1f/0x30

	This is because we're completing the nfs_direct_request twice in a row.

	The source of this is when we have our commit requests to submit, we
	process them and send them off, and then in the completion path for the
	commit requests we have

	if (nfs_commit_end(cinfo.mds))
	nfs_direct_write_complete(dreq);

	However since we're submitting asynchronous requests we sometimes have
	one that completes before we submit the next one, so we end up calling
	complete on the nfs_direct_request twice.

	The only other place we use nfs_generic_commit_list() is in
	__nfs_commit_inode, which wraps this call in a

	nfs_commit_begin();
	nfs_commit_end();

	Which is a common pattern for this style of completion handling, one
	that is also repeated in the direct code with get_dreq()/put_dreq()
	calls around where we process events as well as in the completion paths.

	Fix this by using the same pattern for the commit requests.

	Before with my 200 node rocksdb stress running this warning would pop
	every 10ish minutes. With my patch the stress test has been running for
	several hours without popping.

	The Linux kernel CVE team has assigned CVE-2024-26958 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 5.10.215 with commit 4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 5.15.154 with commit 80d24b308b7ee7037fc90d8ac99f6f78df0a256f
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.1.84 with commit 3abc2d160ed8213948b147295d77d44a22c88fa3
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.6.24 with commit e25447c35f8745337ea8bc0c9697fcac14df8605
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.7.12 with commit 1daf52b5ffb24870fbeda20b4967526d8f9e12ab
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.8.3 with commit cf54f66e1dd78990ec6b32177bca7e6ea2144a95
	Issue introduced in 4.5 with commit af7cf057933f01dc7f33ddfb5e436ad598ed17ad and fixed in 6.9 with commit 17f46b803d4f23c66cacce81db35fef3adb8f2af

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26958
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfs/direct.c
	fs/nfs/write.c
	include/linux/nfs_fs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
	https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f
	https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3
	https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605
	https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab
	https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95
	https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af