cve/published/2024/CVE-2024-38539.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38539: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw

 When running blktests nvme/rdma, the following kmemleak issue will appear.

 kmemleak: Kernel memory leak detector initialized (mempool available:36041)
 kmemleak: Automatic memory scanning thread started
 kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
 kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
 kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
 kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

 unreferenced object 0xffff88855da53400 (size 192):
   comm "rdma", pid 10630, jiffies 4296575922
   hex dump (first 32 bytes):
     37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00  7...............
     10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff  .4.].....4.]....
   backtrace (crc 47f66721):
     [<ffffffff911251bd>] kmalloc_trace+0x30d/0x3b0
     [<ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core]
     [<ffffffffc2642206>] add_modify_gid+0x166/0x930 [ib_core]
     [<ffffffffc2643468>] ib_cache_update.part.0+0x6d8/0x910 [ib_core]
     [<ffffffffc2644e1a>] ib_cache_setup_one+0x24a/0x350 [ib_core]
     [<ffffffffc263949e>] ib_register_device+0x9e/0x3a0 [ib_core]
     [<ffffffffc2a3d389>] 0xffffffffc2a3d389
     [<ffffffffc2688cd8>] nldev_newlink+0x2b8/0x520 [ib_core]
     [<ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]
     [<ffffffffc264648c>]
 rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]
     [<ffffffff9270e7b5>] netlink_unicast+0x445/0x710
     [<ffffffff9270f1f1>] netlink_sendmsg+0x761/0xc40
     [<ffffffff9249db29>] __sys_sendto+0x3a9/0x420
     [<ffffffff9249dc8c>] __x64_sys_sendto+0xdc/0x1b0
     [<ffffffff92db0ad3>] do_syscall_64+0x93/0x180
     [<ffffffff92e00126>] entry_SYSCALL_64_after_hwframe+0x71/0x79

 The root cause: rdma_put_gid_attr is not called when sgid_attr is set
 to ERR_PTR(-ENODEV).

 The Linux kernel CVE team has assigned CVE-2024-38539 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.6.33 with commit 3eb127dc408bf7959a4920d04d16ce10e863686a
 	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.8.12 with commit 6564fc1818404254d1c9f7d75b403b4941516d26
 	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.9.3 with commit b3a7fb93afd888793ef226e9665fbda98a95c48e
 	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.10 with commit 9c0731832d3b7420cbadba6a7f334363bc8dfb15

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38539
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/core/cma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3eb127dc408bf7959a4920d04d16ce10e863686a
 	https://git.kernel.org/stable/c/6564fc1818404254d1c9f7d75b403b4941516d26
 	https://git.kernel.org/stable/c/b3a7fb93afd888793ef226e9665fbda98a95c48e
 	https://git.kernel.org/stable/c/9c0731832d3b7420cbadba6a7f334363bc8dfb15
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38539: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw

	When running blktests nvme/rdma, the following kmemleak issue will appear.

	kmemleak: Kernel memory leak detector initialized (mempool available:36041)
	kmemleak: Automatic memory scanning thread started
	kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
	kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
	kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
	kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

	unreferenced object 0xffff88855da53400 (size 192):
	comm "rdma", pid 10630, jiffies 4296575922
	hex dump (first 32 bytes):
	37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7...............
	10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.]....
	backtrace (crc 47f66721):
	[<ffffffff911251bd>] kmalloc_trace+0x30d/0x3b0
	[<ffffffffc2640ff7>] alloc_gid_entry+0x47/0x380 [ib_core]
	[<ffffffffc2642206>] add_modify_gid+0x166/0x930 [ib_core]
	[<ffffffffc2643468>] ib_cache_update.part.0+0x6d8/0x910 [ib_core]
	[<ffffffffc2644e1a>] ib_cache_setup_one+0x24a/0x350 [ib_core]
	[<ffffffffc263949e>] ib_register_device+0x9e/0x3a0 [ib_core]
	[<ffffffffc2a3d389>] 0xffffffffc2a3d389
	[<ffffffffc2688cd8>] nldev_newlink+0x2b8/0x520 [ib_core]
	[<ffffffffc2645fe3>] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]
	[<ffffffffc264648c>]
	rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]
	[<ffffffff9270e7b5>] netlink_unicast+0x445/0x710
	[<ffffffff9270f1f1>] netlink_sendmsg+0x761/0xc40
	[<ffffffff9249db29>] __sys_sendto+0x3a9/0x420
	[<ffffffff9249dc8c>] __x64_sys_sendto+0xdc/0x1b0
	[<ffffffff92db0ad3>] do_syscall_64+0x93/0x180
	[<ffffffff92e00126>] entry_SYSCALL_64_after_hwframe+0x71/0x79

	The root cause: rdma_put_gid_attr is not called when sgid_attr is set
	to ERR_PTR(-ENODEV).

	The Linux kernel CVE team has assigned CVE-2024-38539 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.6.33 with commit 3eb127dc408bf7959a4920d04d16ce10e863686a
	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.8.12 with commit 6564fc1818404254d1c9f7d75b403b4941516d26
	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.9.3 with commit b3a7fb93afd888793ef226e9665fbda98a95c48e
	Issue introduced in 6.6 with commit f8ef1be816bf9a0c406c696368c2264a9597a994 and fixed in 6.10 with commit 9c0731832d3b7420cbadba6a7f334363bc8dfb15

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38539
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/core/cma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3eb127dc408bf7959a4920d04d16ce10e863686a
	https://git.kernel.org/stable/c/6564fc1818404254d1c9f7d75b403b4941516d26
	https://git.kernel.org/stable/c/b3a7fb93afd888793ef226e9665fbda98a95c48e
	https://git.kernel.org/stable/c/9c0731832d3b7420cbadba6a7f334363bc8dfb15