cve/published/2024/CVE-2024-36915.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36915: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies

 syzbot reported unsafe calls to copy_from_sockptr() [1]

 Use copy_safe_from_sockptr() instead.

 [1]

 BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
  BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
  BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255
 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078

 CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 Call Trace:
  <TASK>
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0x169/0x550 mm/kasan/report.c:488
   kasan_report+0x143/0x180 mm/kasan/report.c:601
   copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
   copy_from_sockptr include/linux/sockptr.h:55 [inline]
   nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255
   do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311
   __sys_setsockopt+0x1ae/0x250 net/socket.c:2334
   __do_sys_setsockopt net/socket.c:2343 [inline]
   __se_sys_setsockopt net/socket.c:2340 [inline]
   __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
  do_syscall_64+0xfd/0x240
  entry_SYSCALL_64_after_hwframe+0x6d/0x75
 RIP: 0033:0x7f7fac07fd89
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89
 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004
 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000
 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000
 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

 The Linux kernel CVE team has assigned CVE-2024-36915 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.119 with commit 298609e7069ce74542a2253a39ccc9717f1d877a
 	Fixed in 6.6.47 with commit 0f106133203021533cb753e80d75896f4ad222f8
 	Fixed in 6.8.10 with commit 29dc0ea979d433dd3c26abc8fa971550bdc05107
 	Fixed in 6.9 with commit 7a87441c9651ba37842f4809224aca13a554a26f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36915
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/nfc/llcp_sock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/298609e7069ce74542a2253a39ccc9717f1d877a
 	https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8
 	https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107
 	https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36915: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies

	syzbot reported unsafe calls to copy_from_sockptr() [1]

	Use copy_safe_from_sockptr() instead.

	[1]

	BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
	BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
	BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255
	Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078

	CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
	copy_from_sockptr include/linux/sockptr.h:55 [inline]
	nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255
	do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311
	__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
	__do_sys_setsockopt net/socket.c:2343 [inline]
	__se_sys_setsockopt net/socket.c:2340 [inline]
	__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
	do_syscall_64+0xfd/0x240
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	RIP: 0033:0x7f7fac07fd89
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
	RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89
	RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004
	RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000
	R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

	The Linux kernel CVE team has assigned CVE-2024-36915 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.119 with commit 298609e7069ce74542a2253a39ccc9717f1d877a
	Fixed in 6.6.47 with commit 0f106133203021533cb753e80d75896f4ad222f8
	Fixed in 6.8.10 with commit 29dc0ea979d433dd3c26abc8fa971550bdc05107
	Fixed in 6.9 with commit 7a87441c9651ba37842f4809224aca13a554a26f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36915
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/nfc/llcp_sock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/298609e7069ce74542a2253a39ccc9717f1d877a
	https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8
	https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107
	https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f