cve/published/2024/CVE-2024-41098.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41098: ata: libata-core: Fix null pointer dereference on error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ata: libata-core: Fix null pointer dereference on error

 If the ata_port_alloc() call in ata_host_alloc() fails,
 ata_host_release() will get called.

 However, the code in ata_host_release() tries to free ata_port struct
 members unconditionally, which can lead to the following:

 BUG: unable to handle page fault for address: 0000000000003990
 PGD 0 P4D 0
 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
 Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
 FS:  00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? __die_body.cold+0x19/0x27
  ? page_fault_oops+0x15a/0x2f0
  ? exc_page_fault+0x7e/0x180
  ? asm_exc_page_fault+0x26/0x30
  ? ata_host_release.cold+0x2f/0x6e [libata]
  ? ata_host_release.cold+0x2f/0x6e [libata]
  release_nodes+0x35/0xb0
  devres_release_group+0x113/0x140
  ata_host_alloc+0xed/0x120 [libata]
  ata_host_alloc_pinfo+0x14/0xa0 [libata]
  ahci_init_one+0x6c9/0xd20 [ahci]

 Do not access ata_port struct members unconditionally.

 The Linux kernel CVE team has assigned CVE-2024-41098 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 4.19.321 with commit d9c4df80b1b009de1eb77c07e3bb4d45bd212aa5
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.4.283 with commit 56e62977eaaae3eb7122ee2cf9b720b6703114a9
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.10.225 with commit e83405e75d90694ee6a5d898f7f0473ac2686054
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.15.166 with commit 221e3b1297e74fdec32d0f572f4dcb2260a0a2af
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.1.108 with commit 0f0d37c154bb108730c90a91aa31e3170e827962
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.6.37 with commit 119c97ace2a9ffcf4dc09a23bb057d6c281aff28
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.9.8 with commit 8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8
 	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.10 with commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41098
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ata/libata-core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d9c4df80b1b009de1eb77c07e3bb4d45bd212aa5
 	https://git.kernel.org/stable/c/56e62977eaaae3eb7122ee2cf9b720b6703114a9
 	https://git.kernel.org/stable/c/e83405e75d90694ee6a5d898f7f0473ac2686054
 	https://git.kernel.org/stable/c/221e3b1297e74fdec32d0f572f4dcb2260a0a2af
 	https://git.kernel.org/stable/c/0f0d37c154bb108730c90a91aa31e3170e827962
 	https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28
 	https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8
 	https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41098: ata: libata-core: Fix null pointer dereference on error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ata: libata-core: Fix null pointer dereference on error

	If the ata_port_alloc() call in ata_host_alloc() fails,
	ata_host_release() will get called.

	However, the code in ata_host_release() tries to free ata_port struct
	members unconditionally, which can lead to the following:

	BUG: unable to handle page fault for address: 0000000000003990
	PGD 0 P4D 0
	Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
	RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
	Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
	RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
	RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
	RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
	RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
	R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
	R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
	FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __die_body.cold+0x19/0x27
	? page_fault_oops+0x15a/0x2f0
	? exc_page_fault+0x7e/0x180
	? asm_exc_page_fault+0x26/0x30
	? ata_host_release.cold+0x2f/0x6e [libata]
	? ata_host_release.cold+0x2f/0x6e [libata]
	release_nodes+0x35/0xb0
	devres_release_group+0x113/0x140
	ata_host_alloc+0xed/0x120 [libata]
	ata_host_alloc_pinfo+0x14/0xa0 [libata]
	ahci_init_one+0x6c9/0xd20 [ahci]

	Do not access ata_port struct members unconditionally.

	The Linux kernel CVE team has assigned CVE-2024-41098 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 4.19.321 with commit d9c4df80b1b009de1eb77c07e3bb4d45bd212aa5
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.4.283 with commit 56e62977eaaae3eb7122ee2cf9b720b6703114a9
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.10.225 with commit e83405e75d90694ee6a5d898f7f0473ac2686054
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 5.15.166 with commit 221e3b1297e74fdec32d0f572f4dcb2260a0a2af
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.1.108 with commit 0f0d37c154bb108730c90a91aa31e3170e827962
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.6.37 with commit 119c97ace2a9ffcf4dc09a23bb057d6c281aff28
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.9.8 with commit 8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8
	Issue introduced in 2.6.24 with commit 633273a3ed1cf37ced90475b0f95cf81deab04f1 and fixed in 6.10 with commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41098
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ata/libata-core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d9c4df80b1b009de1eb77c07e3bb4d45bd212aa5
	https://git.kernel.org/stable/c/56e62977eaaae3eb7122ee2cf9b720b6703114a9
	https://git.kernel.org/stable/c/e83405e75d90694ee6a5d898f7f0473ac2686054
	https://git.kernel.org/stable/c/221e3b1297e74fdec32d0f572f4dcb2260a0a2af
	https://git.kernel.org/stable/c/0f0d37c154bb108730c90a91aa31e3170e827962
	https://git.kernel.org/stable/c/119c97ace2a9ffcf4dc09a23bb057d6c281aff28
	https://git.kernel.org/stable/c/8a8ff7e3b736a70d7b7c8764cbcd2724d4079ec8
	https://git.kernel.org/stable/c/5d92c7c566dc76d96e0e19e481d926bbe6631c1e