cve/published/2024/CVE-2024-41001.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41001: io_uring/sqpoll: work around a potential audit memory leak

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 io_uring/sqpoll: work around a potential audit memory leak

 kmemleak complains that there's a memory leak related to connect
 handling:

 unreferenced object 0xffff0001093bdf00 (size 128):
 comm "iou-sqp-455", pid 457, jiffies 4294894164
 hex dump (first 32 bytes):
 02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00  ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 backtrace (crc 2e481b1a):
 [<00000000c0a26af4>] kmemleak_alloc+0x30/0x38
 [<000000009c30bb45>] kmalloc_trace+0x228/0x358
 [<000000009da9d39f>] __audit_sockaddr+0xd0/0x138
 [<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8
 [<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4
 [<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48
 [<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4
 [<00000000d999b491>] ret_from_fork+0x10/0x20

 which can can happen if:

 1) The command type does something on the prep side that triggers an
    audit call.
 2) The thread hasn't done any operations before this that triggered
    an audit call inside ->issue(), where we have audit_uring_entry()
    and audit_uring_exit().

 Work around this by issuing a blanket NOP operation before the SQPOLL
 does anything.

 The Linux kernel CVE team has assigned CVE-2024-41001 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.1.96 with commit 55c22375cbaa24f77dd13f9ae0642915444a1227
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.6.36 with commit 9e810bd995823786ea30543e480e8a573e5e5667
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.9.7 with commit a40e90d9304629002fb17200f7779823a81191d3
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.10 with commit c4ce0ab27646f4206a9eb502d6fe45cb080e1cae

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41001
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	io_uring/sqpoll.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227
 	https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667
 	https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3
 	https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41001: io_uring/sqpoll: work around a potential audit memory leak

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	io_uring/sqpoll: work around a potential audit memory leak

	kmemleak complains that there's a memory leak related to connect
	handling:

	unreferenced object 0xffff0001093bdf00 (size 128):
	comm "iou-sqp-455", pid 457, jiffies 4294894164
	hex dump (first 32 bytes):
	02 00 fa ea 7f 00 00 01 00 00 00 00 00 00 00 00 ................
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace (crc 2e481b1a):
	[<00000000c0a26af4>] kmemleak_alloc+0x30/0x38
	[<000000009c30bb45>] kmalloc_trace+0x228/0x358
	[<000000009da9d39f>] __audit_sockaddr+0xd0/0x138
	[<0000000089a93e34>] move_addr_to_kernel+0x1a0/0x1f8
	[<000000000b4e80e6>] io_connect_prep+0x1ec/0x2d4
	[<00000000abfbcd99>] io_submit_sqes+0x588/0x1e48
	[<00000000e7c25e07>] io_sq_thread+0x8a4/0x10e4
	[<00000000d999b491>] ret_from_fork+0x10/0x20

	which can can happen if:

	1) The command type does something on the prep side that triggers an
	audit call.
	2) The thread hasn't done any operations before this that triggered
	an audit call inside ->issue(), where we have audit_uring_entry()
	and audit_uring_exit().

	Work around this by issuing a blanket NOP operation before the SQPOLL
	does anything.

	The Linux kernel CVE team has assigned CVE-2024-41001 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.1.96 with commit 55c22375cbaa24f77dd13f9ae0642915444a1227
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.6.36 with commit 9e810bd995823786ea30543e480e8a573e5e5667
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.9.7 with commit a40e90d9304629002fb17200f7779823a81191d3
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.10 with commit c4ce0ab27646f4206a9eb502d6fe45cb080e1cae

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41001
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	io_uring/sqpoll.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/55c22375cbaa24f77dd13f9ae0642915444a1227
	https://git.kernel.org/stable/c/9e810bd995823786ea30543e480e8a573e5e5667
	https://git.kernel.org/stable/c/a40e90d9304629002fb17200f7779823a81191d3
	https://git.kernel.org/stable/c/c4ce0ab27646f4206a9eb502d6fe45cb080e1cae