cve/published/2024/CVE-2024-36478.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36478: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

 Writing 'power' and 'submit_queues' concurrently will trigger kernel
 panic:

 Test script:

 modprobe null_blk nr_devices=0
 mkdir -p /sys/kernel/config/nullb/nullb0
 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
 while true; do echo 1 > power; echo 0 > power; done

 Test result:

 BUG: kernel NULL pointer dereference, address: 0000000000000148
 Oops: 0000 [#1] PREEMPT SMP
 RIP: 0010:__lock_acquire+0x41d/0x28f0
 Call Trace:
  <TASK>
  lock_acquire+0x121/0x450
  down_write+0x5f/0x1d0
  simple_recursive_removal+0x12f/0x5c0
  blk_mq_debugfs_unregister_hctxs+0x7c/0x100
  blk_mq_update_nr_hw_queues+0x4a3/0x720
  nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
  nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
  configfs_write_iter+0x119/0x1e0
  vfs_write+0x326/0x730
  ksys_write+0x74/0x150

 This is because del_gendisk() can concurrent with
 blk_mq_update_nr_hw_queues():

 nullb_device_power_store	nullb_apply_submit_queues
  null_del_dev
  del_gendisk
 				 nullb_update_nr_hw_queues
 				  if (!dev->nullb)
 				  // still set while gendisk is deleted
 				   return 0
 				  blk_mq_update_nr_hw_queues
  dev->nullb = NULL

 Fix this problem by resuing the global mutex to protect
 nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

 The Linux kernel CVE team has assigned CVE-2024-36478 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.1.119 with commit 1d4c8baef435c98e8d5aa7027dc5a9f70834ba16
 	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.6.55 with commit aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
 	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.9.4 with commit 5d0495473ee4c1d041b5a917f10446a22c047f47
 	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.10 with commit a2db328b0839312c169eb42746ec46fc1ab53ed2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36478
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/block/null_blk/main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1d4c8baef435c98e8d5aa7027dc5a9f70834ba16
 	https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
 	https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47
 	https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36478: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

	Writing 'power' and 'submit_queues' concurrently will trigger kernel
	panic:

	Test script:

	modprobe null_blk nr_devices=0
	mkdir -p /sys/kernel/config/nullb/nullb0
	while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
	while true; do echo 1 > power; echo 0 > power; done

	Test result:

	BUG: kernel NULL pointer dereference, address: 0000000000000148
	Oops: 0000 [#1] PREEMPT SMP
	RIP: 0010:__lock_acquire+0x41d/0x28f0
	Call Trace:
	<TASK>
	lock_acquire+0x121/0x450
	down_write+0x5f/0x1d0
	simple_recursive_removal+0x12f/0x5c0
	blk_mq_debugfs_unregister_hctxs+0x7c/0x100
	blk_mq_update_nr_hw_queues+0x4a3/0x720
	nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
	nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
	configfs_write_iter+0x119/0x1e0
	vfs_write+0x326/0x730
	ksys_write+0x74/0x150

	This is because del_gendisk() can concurrent with
	blk_mq_update_nr_hw_queues():

	nullb_device_power_store nullb_apply_submit_queues
	null_del_dev
	del_gendisk
	nullb_update_nr_hw_queues
	if (!dev->nullb)
	// still set while gendisk is deleted
	return 0
	blk_mq_update_nr_hw_queues
	dev->nullb = NULL

	Fix this problem by resuing the global mutex to protect
	nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

	The Linux kernel CVE team has assigned CVE-2024-36478 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.1.119 with commit 1d4c8baef435c98e8d5aa7027dc5a9f70834ba16
	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.6.55 with commit aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.9.4 with commit 5d0495473ee4c1d041b5a917f10446a22c047f47
	Issue introduced in 5.5 with commit 45919fbfe1c487c17ea1d198534339a5e8abeae3 and fixed in 6.10 with commit a2db328b0839312c169eb42746ec46fc1ab53ed2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36478
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/block/null_blk/main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1d4c8baef435c98e8d5aa7027dc5a9f70834ba16
	https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
	https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47
	https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2