cve/published/2024/CVE-2024-46735.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46735: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

 When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the
 first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers
 WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference
 issue.

 Fix it by adding the check in ublk_ctrl_start_recovery() and return
 immediately in case of zero 'ub->nr_queues_ready'.

   BUG: kernel NULL pointer dereference, address: 0000000000000028
   RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180
   Call Trace:
    <TASK>
    ? __die+0x20/0x70
    ? page_fault_oops+0x75/0x170
    ? exc_page_fault+0x64/0x140
    ? asm_exc_page_fault+0x22/0x30
    ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180
    ublk_ctrl_uring_cmd+0x4f7/0x6c0
    ? pick_next_task_idle+0x26/0x40
    io_uring_cmd+0x9a/0x1b0
    io_issue_sqe+0x193/0x3f0
    io_wq_submit_work+0x9b/0x390
    io_worker_handle_work+0x165/0x360
    io_wq_worker+0xcb/0x2f0
    ? finish_task_switch.isra.0+0x203/0x290
    ? finish_task_switch.isra.0+0x203/0x290
    ? __pfx_io_wq_worker+0x10/0x10
    ret_from_fork+0x2d/0x50
    ? __pfx_io_wq_worker+0x10/0x10
    ret_from_fork_asm+0x1a/0x30
    </TASK>

 The Linux kernel CVE team has assigned CVE-2024-46735 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.1.110 with commit ca249435893dda766f3845c15ca77ca5672022d8
 	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.6.51 with commit 136a29d8112df4ea0a57f9602ddf3579e04089dc
 	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.10.10 with commit 7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f
 	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.11 with commit e58f5142f88320a5b1449f96a146f2f24615c5c7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46735
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/block/ublk_drv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ca249435893dda766f3845c15ca77ca5672022d8
 	https://git.kernel.org/stable/c/136a29d8112df4ea0a57f9602ddf3579e04089dc
 	https://git.kernel.org/stable/c/7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f
 	https://git.kernel.org/stable/c/e58f5142f88320a5b1449f96a146f2f24615c5c7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46735: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()

	When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the
	first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers
	WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference
	issue.

	Fix it by adding the check in ublk_ctrl_start_recovery() and return
	immediately in case of zero 'ub->nr_queues_ready'.

	BUG: kernel NULL pointer dereference, address: 0000000000000028
	RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180
	Call Trace:
	<TASK>
	? __die+0x20/0x70
	? page_fault_oops+0x75/0x170
	? exc_page_fault+0x64/0x140
	? asm_exc_page_fault+0x22/0x30
	? ublk_ctrl_start_recovery.constprop.0+0x82/0x180
	ublk_ctrl_uring_cmd+0x4f7/0x6c0
	? pick_next_task_idle+0x26/0x40
	io_uring_cmd+0x9a/0x1b0
	io_issue_sqe+0x193/0x3f0
	io_wq_submit_work+0x9b/0x390
	io_worker_handle_work+0x165/0x360
	io_wq_worker+0xcb/0x2f0
	? finish_task_switch.isra.0+0x203/0x290
	? finish_task_switch.isra.0+0x203/0x290
	? __pfx_io_wq_worker+0x10/0x10
	ret_from_fork+0x2d/0x50
	? __pfx_io_wq_worker+0x10/0x10
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-46735 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.1.110 with commit ca249435893dda766f3845c15ca77ca5672022d8
	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.6.51 with commit 136a29d8112df4ea0a57f9602ddf3579e04089dc
	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.10.10 with commit 7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f
	Issue introduced in 6.1 with commit c732a852b419fa057b53657e2daaf9433940391c and fixed in 6.11 with commit e58f5142f88320a5b1449f96a146f2f24615c5c7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46735
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/block/ublk_drv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ca249435893dda766f3845c15ca77ca5672022d8
	https://git.kernel.org/stable/c/136a29d8112df4ea0a57f9602ddf3579e04089dc
	https://git.kernel.org/stable/c/7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f
	https://git.kernel.org/stable/c/e58f5142f88320a5b1449f96a146f2f24615c5c7