cve/published/2024/CVE-2024-39301.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-39301: net/9p: fix uninit-value in p9_client_rpc()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/9p: fix uninit-value in p9_client_rpc()

 Syzbot with the help of KMSAN reported the following error:

 BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]
 BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
  trace_9p_client_res include/trace/events/9p.h:146 [inline]
  p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
  p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
  v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
  v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
  legacy_get_tree+0x114/0x290 fs/fs_context.c:662
  vfs_get_tree+0xa7/0x570 fs/super.c:1797
  do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
  path_mount+0x742/0x1f20 fs/namespace.c:3679
  do_mount fs/namespace.c:3692 [inline]
  __do_sys_mount fs/namespace.c:3898 [inline]
  __se_sys_mount+0x725/0x810 fs/namespace.c:3875
  __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 Uninit was created at:
  __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
  __alloc_pages_node include/linux/gfp.h:238 [inline]
  alloc_pages_node include/linux/gfp.h:261 [inline]
  alloc_slab_page mm/slub.c:2175 [inline]
  allocate_slab mm/slub.c:2338 [inline]
  new_slab+0x2de/0x1400 mm/slub.c:2391
  ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525
  __slab_alloc mm/slub.c:3610 [inline]
  __slab_alloc_node mm/slub.c:3663 [inline]
  slab_alloc_node mm/slub.c:3835 [inline]
  kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852
  p9_tag_alloc net/9p/client.c:278 [inline]
  p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641
  p9_client_rpc+0x27e/0x1340 net/9p/client.c:688
  p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
  v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
  v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
  legacy_get_tree+0x114/0x290 fs/fs_context.c:662
  vfs_get_tree+0xa7/0x570 fs/super.c:1797
  do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
  path_mount+0x742/0x1f20 fs/namespace.c:3679
  do_mount fs/namespace.c:3692 [inline]
  __do_sys_mount fs/namespace.c:3898 [inline]
  __se_sys_mount+0x725/0x810 fs/namespace.c:3875
  __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
  do_syscall_64+0xd5/0x1f0
  entry_SYSCALL_64_after_hwframe+0x6d/0x75

 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag
 will not be properly initialized. However, trace_9p_client_res()
 ends up trying to print it out anyway before p9_client_rpc()
 finishes.

 Fix this issue by assigning default values to p9_fcall fields
 such as 'tag' and (just in case KMSAN unearths something new) 'id'
 during the tag allocation stage.

 The Linux kernel CVE team has assigned CVE-2024-39301 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 4.19.316 with commit 72c5d8e416ecc46af370a1340b3db5ff0b0cc867
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.4.278 with commit 2101901dd58c6da4924bc5efb217a1d83436290b
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.10.219 with commit 124947855564572713d705a13be7d0c9dae16a17
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.15.161 with commit 89969ffbeb948ffc159d19252e7469490103011b
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.1.94 with commit ca71f204711ad24113e8b344dc5bb8b0385f5672
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.6.34 with commit 6c1791130b781c843572fb6391c4a4c5d857ab17
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.9.5 with commit fe5c604053c36c62af24eee8a76407d026ea5163
 	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.10 with commit 25460d6f39024cc3b8241b14c7ccf0d6f11a736a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-39301
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/9p/client.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867
 	https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b
 	https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17
 	https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b
 	https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672
 	https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17
 	https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163
 	https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-39301: net/9p: fix uninit-value in p9_client_rpc()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/9p: fix uninit-value in p9_client_rpc()

	Syzbot with the help of KMSAN reported the following error:

	BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline]
	BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
	trace_9p_client_res include/trace/events/9p.h:146 [inline]
	p9_client_rpc+0x1314/0x1340 net/9p/client.c:754
	p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
	v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
	v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
	legacy_get_tree+0x114/0x290 fs/fs_context.c:662
	vfs_get_tree+0xa7/0x570 fs/super.c:1797
	do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
	path_mount+0x742/0x1f20 fs/namespace.c:3679
	do_mount fs/namespace.c:3692 [inline]
	__do_sys_mount fs/namespace.c:3898 [inline]
	__se_sys_mount+0x725/0x810 fs/namespace.c:3875
	__x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	Uninit was created at:
	__alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598
	__alloc_pages_node include/linux/gfp.h:238 [inline]
	alloc_pages_node include/linux/gfp.h:261 [inline]
	alloc_slab_page mm/slub.c:2175 [inline]
	allocate_slab mm/slub.c:2338 [inline]
	new_slab+0x2de/0x1400 mm/slub.c:2391
	___slab_alloc+0x1184/0x33d0 mm/slub.c:3525
	__slab_alloc mm/slub.c:3610 [inline]
	__slab_alloc_node mm/slub.c:3663 [inline]
	slab_alloc_node mm/slub.c:3835 [inline]
	kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852
	p9_tag_alloc net/9p/client.c:278 [inline]
	p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641
	p9_client_rpc+0x27e/0x1340 net/9p/client.c:688
	p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031
	v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410
	v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122
	legacy_get_tree+0x114/0x290 fs/fs_context.c:662
	vfs_get_tree+0xa7/0x570 fs/super.c:1797
	do_new_mount+0x71f/0x15e0 fs/namespace.c:3352
	path_mount+0x742/0x1f20 fs/namespace.c:3679
	do_mount fs/namespace.c:3692 [inline]
	__do_sys_mount fs/namespace.c:3898 [inline]
	__se_sys_mount+0x725/0x810 fs/namespace.c:3875
	__x64_sys_mount+0xe4/0x150 fs/namespace.c:3875
	do_syscall_64+0xd5/0x1f0
	entry_SYSCALL_64_after_hwframe+0x6d/0x75

	If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag
	will not be properly initialized. However, trace_9p_client_res()
	ends up trying to print it out anyway before p9_client_rpc()
	finishes.

	Fix this issue by assigning default values to p9_fcall fields
	such as 'tag' and (just in case KMSAN unearths something new) 'id'
	during the tag allocation stage.

	The Linux kernel CVE team has assigned CVE-2024-39301 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 4.19.316 with commit 72c5d8e416ecc46af370a1340b3db5ff0b0cc867
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.4.278 with commit 2101901dd58c6da4924bc5efb217a1d83436290b
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.10.219 with commit 124947855564572713d705a13be7d0c9dae16a17
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 5.15.161 with commit 89969ffbeb948ffc159d19252e7469490103011b
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.1.94 with commit ca71f204711ad24113e8b344dc5bb8b0385f5672
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.6.34 with commit 6c1791130b781c843572fb6391c4a4c5d857ab17
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.9.5 with commit fe5c604053c36c62af24eee8a76407d026ea5163
	Issue introduced in 3.2 with commit 348b59012e5c6402741d067cf6eeeb6271999d06 and fixed in 6.10 with commit 25460d6f39024cc3b8241b14c7ccf0d6f11a736a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39301
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/9p/client.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/72c5d8e416ecc46af370a1340b3db5ff0b0cc867
	https://git.kernel.org/stable/c/2101901dd58c6da4924bc5efb217a1d83436290b
	https://git.kernel.org/stable/c/124947855564572713d705a13be7d0c9dae16a17
	https://git.kernel.org/stable/c/89969ffbeb948ffc159d19252e7469490103011b
	https://git.kernel.org/stable/c/ca71f204711ad24113e8b344dc5bb8b0385f5672
	https://git.kernel.org/stable/c/6c1791130b781c843572fb6391c4a4c5d857ab17
	https://git.kernel.org/stable/c/fe5c604053c36c62af24eee8a76407d026ea5163
	https://git.kernel.org/stable/c/25460d6f39024cc3b8241b14c7ccf0d6f11a736a