cve/published/2024/CVE-2024-41096.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41096: PCI/MSI: Fix UAF in msi_capability_init

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI/MSI: Fix UAF in msi_capability_init

 KFENCE reports the following UAF:

  BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

  Use-after-free read at 0x0000000024629571 (in kfence-#12):
   __pci_enable_msi_range+0x2c0/0x488
   pci_alloc_irq_vectors_affinity+0xec/0x14c
   pci_alloc_irq_vectors+0x18/0x28

  kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

  allocated by task 81 on cpu 7 at 10.808142s:
   __kmem_cache_alloc_node+0x1f0/0x2bc
   kmalloc_trace+0x44/0x138
   msi_alloc_desc+0x3c/0x9c
   msi_domain_insert_msi_desc+0x30/0x78
   msi_setup_msi_desc+0x13c/0x184
   __pci_enable_msi_range+0x258/0x488
   pci_alloc_irq_vectors_affinity+0xec/0x14c
   pci_alloc_irq_vectors+0x18/0x28

  freed by task 81 on cpu 7 at 10.811436s:
   msi_domain_free_descs+0xd4/0x10c
   msi_domain_free_locked.part.0+0xc0/0x1d8
   msi_domain_alloc_irqs_all_locked+0xb4/0xbc
   pci_msi_setup_msi_irqs+0x30/0x4c
   __pci_enable_msi_range+0x2a8/0x488
   pci_alloc_irq_vectors_affinity+0xec/0x14c
   pci_alloc_irq_vectors+0x18/0x28

 Descriptor allocation done in:
 __pci_enable_msi_range
     msi_capability_init
         msi_setup_msi_desc
             msi_insert_msi_desc
                 msi_domain_insert_msi_desc
                     msi_alloc_desc
                         ...

 Freed in case of failure in __msi_domain_alloc_locked()
 __pci_enable_msi_range
     msi_capability_init
         pci_msi_setup_msi_irqs
             msi_domain_alloc_irqs_all_locked
                 msi_domain_alloc_locked
                     __msi_domain_alloc_locked => fails
                     msi_domain_free_locked
                         ...

 That failure propagates back to pci_msi_setup_msi_irqs() in
 msi_capability_init() which accesses the descriptor for unmasking in the
 error exit path.

 Cure it by copying the descriptor and using the copy for the error exit path
 unmask operation.

 [ tglx: Massaged change log ]

 The Linux kernel CVE team has assigned CVE-2024-41096 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.1.109 with commit 0ae40b2d0a5de6b045504098e365d4fdff5bbeba
 	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.6.37 with commit ff1121d2214b794dc1772081f27bdd90721a84bc
 	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.9.8 with commit 45fc8d20e0768ab0a0ad054081d0f68aa3c83976
 	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.10 with commit 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41096
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pci/msi/msi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0ae40b2d0a5de6b045504098e365d4fdff5bbeba
 	https://git.kernel.org/stable/c/ff1121d2214b794dc1772081f27bdd90721a84bc
 	https://git.kernel.org/stable/c/45fc8d20e0768ab0a0ad054081d0f68aa3c83976
 	https://git.kernel.org/stable/c/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41096: PCI/MSI: Fix UAF in msi_capability_init

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI/MSI: Fix UAF in msi_capability_init

	KFENCE reports the following UAF:

	BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

	Use-after-free read at 0x0000000024629571 (in kfence-#12):
	__pci_enable_msi_range+0x2c0/0x488
	pci_alloc_irq_vectors_affinity+0xec/0x14c
	pci_alloc_irq_vectors+0x18/0x28

	kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

	allocated by task 81 on cpu 7 at 10.808142s:
	__kmem_cache_alloc_node+0x1f0/0x2bc
	kmalloc_trace+0x44/0x138
	msi_alloc_desc+0x3c/0x9c
	msi_domain_insert_msi_desc+0x30/0x78
	msi_setup_msi_desc+0x13c/0x184
	__pci_enable_msi_range+0x258/0x488
	pci_alloc_irq_vectors_affinity+0xec/0x14c
	pci_alloc_irq_vectors+0x18/0x28

	freed by task 81 on cpu 7 at 10.811436s:
	msi_domain_free_descs+0xd4/0x10c
	msi_domain_free_locked.part.0+0xc0/0x1d8
	msi_domain_alloc_irqs_all_locked+0xb4/0xbc
	pci_msi_setup_msi_irqs+0x30/0x4c
	__pci_enable_msi_range+0x2a8/0x488
	pci_alloc_irq_vectors_affinity+0xec/0x14c
	pci_alloc_irq_vectors+0x18/0x28

	Descriptor allocation done in:
	__pci_enable_msi_range
	msi_capability_init
	msi_setup_msi_desc
	msi_insert_msi_desc
	msi_domain_insert_msi_desc
	msi_alloc_desc
	...

	Freed in case of failure in __msi_domain_alloc_locked()
	__pci_enable_msi_range
	msi_capability_init
	pci_msi_setup_msi_irqs
	msi_domain_alloc_irqs_all_locked
	msi_domain_alloc_locked
	__msi_domain_alloc_locked => fails
	msi_domain_free_locked
	...

	That failure propagates back to pci_msi_setup_msi_irqs() in
	msi_capability_init() which accesses the descriptor for unmasking in the
	error exit path.

	Cure it by copying the descriptor and using the copy for the error exit path
	unmask operation.

	[ tglx: Massaged change log ]

	The Linux kernel CVE team has assigned CVE-2024-41096 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.1.109 with commit 0ae40b2d0a5de6b045504098e365d4fdff5bbeba
	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.6.37 with commit ff1121d2214b794dc1772081f27bdd90721a84bc
	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.9.8 with commit 45fc8d20e0768ab0a0ad054081d0f68aa3c83976
	Issue introduced in 5.17 with commit bf6e054e0e3fbc9614355b760e18c8a14f952a4e and fixed in 6.10 with commit 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41096
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pci/msi/msi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0ae40b2d0a5de6b045504098e365d4fdff5bbeba
	https://git.kernel.org/stable/c/ff1121d2214b794dc1772081f27bdd90721a84bc
	https://git.kernel.org/stable/c/45fc8d20e0768ab0a0ad054081d0f68aa3c83976
	https://git.kernel.org/stable/c/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1