cve/published/2024/CVE-2024-36000.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/hugetlb: fix missing hugetlb_lock for resv uncharge

 There is a recent report on UFFDIO_COPY over hugetlb:

 https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/

 350:	lockdep_assert_held(&hugetlb_lock);

 Should be an issue in hugetlb but triggered in an userfault context, where
 it goes into the unlikely path where two threads modifying the resv map
 together.  Mike has a fix in that path for resv uncharge but it looks like
 the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()
 will update the cgroup pointer, so it requires to be called with the lock
 held.

 The Linux kernel CVE team has assigned CVE-2024-36000 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.1.91 with commit 4c806333efea1000a2a9620926f560ad2e1ca7cc
 	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.6.30 with commit f6c5d21db16a0910152ec8aa9d5a7aed72694505
 	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.8.9 with commit 538faabf31e9c53d8c870d114846fda958a0de10
 	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.9 with commit b76b46902c2d0395488c8412e1116c2486cdfcb2
 	Issue introduced in 5.9.7 with commit f87004c0b2bdf0f1066b88795d8e6c1dfad6cea0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36000
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/hugetlb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc
 	https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505
 	https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10
 	https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/hugetlb: fix missing hugetlb_lock for resv uncharge

	There is a recent report on UFFDIO_COPY over hugetlb:

	https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/

	350: lockdep_assert_held(&hugetlb_lock);

	Should be an issue in hugetlb but triggered in an userfault context, where
	it goes into the unlikely path where two threads modifying the resv map
	together. Mike has a fix in that path for resv uncharge but it looks like
	the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()
	will update the cgroup pointer, so it requires to be called with the lock
	held.

	The Linux kernel CVE team has assigned CVE-2024-36000 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.1.91 with commit 4c806333efea1000a2a9620926f560ad2e1ca7cc
	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.6.30 with commit f6c5d21db16a0910152ec8aa9d5a7aed72694505
	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.8.9 with commit 538faabf31e9c53d8c870d114846fda958a0de10
	Issue introduced in 5.10 with commit 79aa925bf239c234be8586780e482872dc4690dd and fixed in 6.9 with commit b76b46902c2d0395488c8412e1116c2486cdfcb2
	Issue introduced in 5.9.7 with commit f87004c0b2bdf0f1066b88795d8e6c1dfad6cea0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36000
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/hugetlb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc
	https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505
	https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10
	https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2