cve/published/2024/CVE-2024-47709.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47709: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

 syzbot reported a warning in bcm_release(). [0]

 The blamed change fixed another warning that is triggered when
 connect() is issued again for a socket whose connect()ed device has
 been unregistered.

 However, if the socket is just close()d without the 2nd connect(), the
 remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
 in bcm_release().

 Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().

 [0]
 name '4986'
 WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
 Modules linked in:
 CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
 RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
 Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
 RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
 RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
 R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
 R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
 FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  bcm_release+0x250/0x880 net/can/bcm.c:1578
  __sock_release net/socket.c:659 [inline]
  sock_close+0xbc/0x240 net/socket.c:1421
  __fput+0x24a/0x8a0 fs/file_table.c:422
  task_work_run+0x24f/0x310 kernel/task_work.c:228
  exit_task_work include/linux/task_work.h:40 [inline]
  do_exit+0xa2f/0x27f0 kernel/exit.c:882
  do_group_exit+0x207/0x2c0 kernel/exit.c:1031
  __do_sys_exit_group kernel/exit.c:1042 [inline]
  __se_sys_exit_group kernel/exit.c:1040 [inline]
  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
  x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7fcfb51ee969
 Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
 RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
 RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
 R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-47709 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.322 with commit 5c680022c4e28ba18ea500f3e29f0428271afa92 and fixed in 4.19.323 with commit f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
 	Issue introduced in 5.4.284 with commit 33ed4ba73caae39f34ab874ba79138badc2c65dd and fixed in 5.4.285 with commit a833da8eec20b51af39643faa7067b25c8b20f3e
 	Issue introduced in 5.10.226 with commit aec92dbebdbec7567d9f56d7c9296a572b8fd849 and fixed in 5.10.227 with commit 5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
 	Issue introduced in 5.15.167 with commit 10bfacbd5e8d821011d857bee73310457c9c989a and fixed in 5.15.168 with commit 9550baada4c8ef8cebefccc746384842820b4dff
 	Issue introduced in 6.1.110 with commit 3b39dc2901aa7a679a5ca981a3de9f8d5658afe8 and fixed in 6.1.113 with commit 7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
 	Issue introduced in 6.6.51 with commit 4377b79323df62eb5d310354f19b4d130ff58d50 and fixed in 6.6.54 with commit c3d941cc734e0c8dc486c062926d5249070af5e4
 	Issue introduced in 6.10.10 with commit abb0a615569ec008e8a93d9f3ab2d5b418ea94d4 and fixed in 6.10.13 with commit 770b463264426cc3c167b1d44efa85f6a526ce5b
 	Issue introduced in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 and fixed in 6.11.2 with commit b02ed2f01240b226570b4a19b5041d61f5125784
 	Issue introduced in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 and fixed in 6.12 with commit 94b0818fa63555a65f6ba107080659ea6bcca63e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47709
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/can/bcm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
 	https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e
 	https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
 	https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff
 	https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
 	https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4
 	https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b
 	https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784
 	https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47709: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

	syzbot reported a warning in bcm_release(). [0]

	The blamed change fixed another warning that is triggered when
	connect() is issued again for a socket whose connect()ed device has
	been unregistered.

	However, if the socket is just close()d without the 2nd connect(), the
	remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
	in bcm_release().

	Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().

	[0]
	name '4986'
	WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
	Modules linked in:
	CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
	RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
	Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
	RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
	RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
	RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
	R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
	R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
	FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	bcm_release+0x250/0x880 net/can/bcm.c:1578
	__sock_release net/socket.c:659 [inline]
	sock_close+0xbc/0x240 net/socket.c:1421
	__fput+0x24a/0x8a0 fs/file_table.c:422
	task_work_run+0x24f/0x310 kernel/task_work.c:228
	exit_task_work include/linux/task_work.h:40 [inline]
	do_exit+0xa2f/0x27f0 kernel/exit.c:882
	do_group_exit+0x207/0x2c0 kernel/exit.c:1031
	__do_sys_exit_group kernel/exit.c:1042 [inline]
	__se_sys_exit_group kernel/exit.c:1040 [inline]
	__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
	x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7fcfb51ee969
	Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
	RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
	RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
	RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
	RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
	R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
	R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-47709 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.322 with commit 5c680022c4e28ba18ea500f3e29f0428271afa92 and fixed in 4.19.323 with commit f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
	Issue introduced in 5.4.284 with commit 33ed4ba73caae39f34ab874ba79138badc2c65dd and fixed in 5.4.285 with commit a833da8eec20b51af39643faa7067b25c8b20f3e
	Issue introduced in 5.10.226 with commit aec92dbebdbec7567d9f56d7c9296a572b8fd849 and fixed in 5.10.227 with commit 5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
	Issue introduced in 5.15.167 with commit 10bfacbd5e8d821011d857bee73310457c9c989a and fixed in 5.15.168 with commit 9550baada4c8ef8cebefccc746384842820b4dff
	Issue introduced in 6.1.110 with commit 3b39dc2901aa7a679a5ca981a3de9f8d5658afe8 and fixed in 6.1.113 with commit 7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
	Issue introduced in 6.6.51 with commit 4377b79323df62eb5d310354f19b4d130ff58d50 and fixed in 6.6.54 with commit c3d941cc734e0c8dc486c062926d5249070af5e4
	Issue introduced in 6.10.10 with commit abb0a615569ec008e8a93d9f3ab2d5b418ea94d4 and fixed in 6.10.13 with commit 770b463264426cc3c167b1d44efa85f6a526ce5b
	Issue introduced in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 and fixed in 6.11.2 with commit b02ed2f01240b226570b4a19b5041d61f5125784
	Issue introduced in 6.11 with commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 and fixed in 6.12 with commit 94b0818fa63555a65f6ba107080659ea6bcca63e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47709
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/can/bcm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc
	https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e
	https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977
	https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff
	https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70
	https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4
	https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b
	https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784
	https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e