cve/published/2024/CVE-2024-44934.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44934: net: bridge: mcast: wait for previous gc cycles when removing port

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: bridge: mcast: wait for previous gc cycles when removing port

 syzbot hit a use-after-free[1] which is caused because the bridge doesn't
 make sure that all previous garbage has been collected when removing a
 port. What happens is:
       CPU 1                   CPU 2
  start gc cycle           remove port
                          acquire gc lock first
  wait for lock
                          call br_multicasg_gc() directly
  acquire lock now but    free port
  the port can be freed
  while grp timers still
  running

 Make sure all previous gc cycles have finished by using flush_work before
 freeing the port.

 [1]
   BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
   Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699

   CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
   Call Trace:
    <IRQ>
    __dump_stack lib/dump_stack.c:88 [inline]
    dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
    print_address_description mm/kasan/report.c:377 [inline]
    print_report+0xc3/0x620 mm/kasan/report.c:488
    kasan_report+0xd9/0x110 mm/kasan/report.c:601
    br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
    call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
    expire_timers kernel/time/timer.c:1843 [inline]
    __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
    __run_timer_base kernel/time/timer.c:2428 [inline]
    __run_timer_base kernel/time/timer.c:2421 [inline]
    run_timer_base+0x111/0x190 kernel/time/timer.c:2437

 The Linux kernel CVE team has assigned CVE-2024-44934 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 5.15.165 with commit 1e16828020c674b3be85f52685e8b80f9008f50f
 	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.1.105 with commit 0d8b26e10e680c01522d7cc14abe04c3265a928f
 	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.6.46 with commit e3145ca904fa8dbfd1a5bf0187905bc117b0efce
 	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.10.5 with commit b2f794b168cf560682ff976b255aa6d29d14a658
 	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.11 with commit 92c4ee25208d0f35dafc3213cdf355fbe449e078

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44934
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bridge/br_multicast.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f
 	https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f
 	https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce
 	https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658
 	https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44934: net: bridge: mcast: wait for previous gc cycles when removing port

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: bridge: mcast: wait for previous gc cycles when removing port

	syzbot hit a use-after-free[1] which is caused because the bridge doesn't
	make sure that all previous garbage has been collected when removing a
	port. What happens is:
	CPU 1 CPU 2
	start gc cycle remove port
	acquire gc lock first
	wait for lock
	call br_multicasg_gc() directly
	acquire lock now but free port
	the port can be freed
	while grp timers still
	running

	Make sure all previous gc cycles have finished by using flush_work before
	freeing the port.

	[1]
	BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
	Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699

	CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
	Call Trace:
	<IRQ>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0xc3/0x620 mm/kasan/report.c:488
	kasan_report+0xd9/0x110 mm/kasan/report.c:601
	br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861
	call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
	expire_timers kernel/time/timer.c:1843 [inline]
	__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
	__run_timer_base kernel/time/timer.c:2428 [inline]
	__run_timer_base kernel/time/timer.c:2421 [inline]
	run_timer_base+0x111/0x190 kernel/time/timer.c:2437

	The Linux kernel CVE team has assigned CVE-2024-44934 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 5.15.165 with commit 1e16828020c674b3be85f52685e8b80f9008f50f
	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.1.105 with commit 0d8b26e10e680c01522d7cc14abe04c3265a928f
	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.6.46 with commit e3145ca904fa8dbfd1a5bf0187905bc117b0efce
	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.10.5 with commit b2f794b168cf560682ff976b255aa6d29d14a658
	Issue introduced in 5.10 with commit e12cec65b5546f19217e26aafb8add6e2fadca18 and fixed in 6.11 with commit 92c4ee25208d0f35dafc3213cdf355fbe449e078

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44934
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bridge/br_multicast.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1e16828020c674b3be85f52685e8b80f9008f50f
	https://git.kernel.org/stable/c/0d8b26e10e680c01522d7cc14abe04c3265a928f
	https://git.kernel.org/stable/c/e3145ca904fa8dbfd1a5bf0187905bc117b0efce
	https://git.kernel.org/stable/c/b2f794b168cf560682ff976b255aa6d29d14a658
	https://git.kernel.org/stable/c/92c4ee25208d0f35dafc3213cdf355fbe449e078