cve/published/2024/CVE-2024-49885.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49885: mm, slub: avoid zeroing kmalloc redzone

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm, slub: avoid zeroing kmalloc redzone

 Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra
 allocated kmalloc space than requested"), setting orig_size treats
 the wasted space (object_size - orig_size) as a redzone. However with
 init_on_free=1 we clear the full object->size, including the redzone.

 Additionally we clear the object metadata, including the stored orig_size,
 making it zero, which makes check_object() treat the whole object as a
 redzone.

 These issues lead to the following BUG report with "slub_debug=FUZ
 init_on_free=1":

 [    0.000000] =============================================================================
 [    0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
 [    0.000000] -----------------------------------------------------------------------------
 [    0.000000]
 [    0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
 [    0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
 [    0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)
 [    0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
 [    0.000000]
 [    0.000000] Redzone  ffff000010032850: cc cc cc cc cc cc cc cc                          ........
 [    0.000000] Object   ffff000010032858: cc cc cc cc cc cc cc cc                          ........
 [    0.000000] Redzone  ffff000010032860: cc cc cc cc cc cc cc cc                          ........
 [    0.000000] Padding  ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00              ............
 [    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144
 [    0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
 [    0.000000] Call trace:
 [    0.000000]  dump_backtrace+0x90/0xe8
 [    0.000000]  show_stack+0x18/0x24
 [    0.000000]  dump_stack_lvl+0x74/0x8c
 [    0.000000]  dump_stack+0x18/0x24
 [    0.000000]  print_trailer+0x150/0x218
 [    0.000000]  check_object+0xe4/0x454
 [    0.000000]  free_to_partial_list+0x2f8/0x5ec

 To address the issue, use orig_size to clear the used area. And restore
 the value of orig_size after clear the remaining area.

 When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
 s->object_size. So when using memset to init the area, the size can simply
 be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
 enabled. And orig_size can never be bigger than object_size.

 The Linux kernel CVE team has assigned CVE-2024-49885 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.10.14 with commit 7a2e823a19746d54052c625faecf0d2d6c52ee0a
 	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.11.3 with commit 83f0440b2f92227fcce9898118ca7fe7e0d64b1f
 	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.12 with commit 59090e479ac78ae18facd4c58eb332562a23020e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49885
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/slub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7a2e823a19746d54052c625faecf0d2d6c52ee0a
 	https://git.kernel.org/stable/c/83f0440b2f92227fcce9898118ca7fe7e0d64b1f
 	https://git.kernel.org/stable/c/59090e479ac78ae18facd4c58eb332562a23020e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49885: mm, slub: avoid zeroing kmalloc redzone

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm, slub: avoid zeroing kmalloc redzone

	Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra
	allocated kmalloc space than requested"), setting orig_size treats
	the wasted space (object_size - orig_size) as a redzone. However with
	init_on_free=1 we clear the full object->size, including the redzone.

	Additionally we clear the object metadata, including the stored orig_size,
	making it zero, which makes check_object() treat the whole object as a
	redzone.

	These issues lead to the following BUG report with "slub_debug=FUZ
	init_on_free=1":

	[ 0.000000] =============================================================================
	[ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
	[ 0.000000] -----------------------------------------------------------------------------
	[ 0.000000]
	[ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
	[ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
	[ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset\|node=0\|zone=0\|lastcpupid=0x1ffff)
	[ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
	[ 0.000000]
	[ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........
	[ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........
	[ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........
	[ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............
	[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144
	[ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
	[ 0.000000] Call trace:
	[ 0.000000] dump_backtrace+0x90/0xe8
	[ 0.000000] show_stack+0x18/0x24
	[ 0.000000] dump_stack_lvl+0x74/0x8c
	[ 0.000000] dump_stack+0x18/0x24
	[ 0.000000] print_trailer+0x150/0x218
	[ 0.000000] check_object+0xe4/0x454
	[ 0.000000] free_to_partial_list+0x2f8/0x5ec

	To address the issue, use orig_size to clear the used area. And restore
	the value of orig_size after clear the remaining area.

	When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
	s->object_size. So when using memset to init the area, the size can simply
	be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
	enabled. And orig_size can never be bigger than object_size.

	The Linux kernel CVE team has assigned CVE-2024-49885 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.10.14 with commit 7a2e823a19746d54052c625faecf0d2d6c52ee0a
	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.11.3 with commit 83f0440b2f92227fcce9898118ca7fe7e0d64b1f
	Issue introduced in 6.2 with commit 946fa0dbf2d8923a587f7348adf16563d59f1b3d and fixed in 6.12 with commit 59090e479ac78ae18facd4c58eb332562a23020e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49885
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/slub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7a2e823a19746d54052c625faecf0d2d6c52ee0a
	https://git.kernel.org/stable/c/83f0440b2f92227fcce9898118ca7fe7e0d64b1f
	https://git.kernel.org/stable/c/59090e479ac78ae18facd4c58eb332562a23020e