cve/published/2024/CVE-2024-50155.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50155: netdevsim: use cond_resched() in nsim_dev_trap_report_work()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netdevsim: use cond_resched() in nsim_dev_trap_report_work()

 I am still seeing many syzbot reports hinting that syzbot
 might fool nsim_dev_trap_report_work() with hundreds of ports [1]

 Lets use cond_resched(), and system_unbound_wq
 instead of implicit system_wq.

 [1]
 INFO: task syz-executor:20633 blocked for more than 143 seconds.
       Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 task:syz-executor    state:D stack:25856 pid:20633 tgid:20633 ppid:1      flags:0x00004006
 ...
 NMI backtrace for cpu 1
 CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 Workqueue: events nsim_dev_trap_report_work
  RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210
 Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0
 RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246
 RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00
 RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577
 R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000
 R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00
 FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0
 DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 Call Trace:
  <NMI>
  </NMI>
  <TASK>
   __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
   spin_unlock_bh include/linux/spinlock.h:396 [inline]
   nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
   nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850
   process_one_work kernel/workqueue.c:3229 [inline]
   process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
   worker_thread+0x870/0xd30 kernel/workqueue.c:3391
   kthread+0x2f0/0x390 kernel/kthread.c:389
   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-50155 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.78 with commit 0193e0660cc6689c794794b471492923cfd7bfbc and fixed in 6.1.115 with commit 24973f4b64f93232a48fe78029385de762a2418d
 	Issue introduced in 6.6.17 with commit 6eecddd9c3c8d6e3a097531cdc6d500335b35e46 and fixed in 6.6.59 with commit 681ce79ab6fba2f8d1c5ea60239f0086baebd0d3
 	Issue introduced in 6.8 with commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 and fixed in 6.11.6 with commit 32f054f93937b548c61b3bf57d8f4aefc50f3b16
 	Issue introduced in 6.8 with commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 and fixed in 6.12 with commit a1494d532e28598bde7a5544892ef9c7dbfafa93
 	Issue introduced in 6.7.5 with commit d91964cdada76740811b7c621239f9c407820dbc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50155
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/netdevsim/dev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/24973f4b64f93232a48fe78029385de762a2418d
 	https://git.kernel.org/stable/c/681ce79ab6fba2f8d1c5ea60239f0086baebd0d3
 	https://git.kernel.org/stable/c/32f054f93937b548c61b3bf57d8f4aefc50f3b16
 	https://git.kernel.org/stable/c/a1494d532e28598bde7a5544892ef9c7dbfafa93
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50155: netdevsim: use cond_resched() in nsim_dev_trap_report_work()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netdevsim: use cond_resched() in nsim_dev_trap_report_work()

	I am still seeing many syzbot reports hinting that syzbot
	might fool nsim_dev_trap_report_work() with hundreds of ports [1]

	Lets use cond_resched(), and system_unbound_wq
	instead of implicit system_wq.

	[1]
	INFO: task syz-executor:20633 blocked for more than 143 seconds.
	Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006
	...
	NMI backtrace for cpu 1
	CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	Workqueue: events nsim_dev_trap_report_work
	RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210
	Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0
	RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246
	RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00
	RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000
	RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577
	R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000
	R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00
	FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
	Call Trace:
	<NMI>
	</NMI>
	<TASK>
	__local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
	spin_unlock_bh include/linux/spinlock.h:396 [inline]
	nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
	nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850
	process_one_work kernel/workqueue.c:3229 [inline]
	process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
	worker_thread+0x870/0xd30 kernel/workqueue.c:3391
	kthread+0x2f0/0x390 kernel/kthread.c:389
	ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-50155 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.78 with commit 0193e0660cc6689c794794b471492923cfd7bfbc and fixed in 6.1.115 with commit 24973f4b64f93232a48fe78029385de762a2418d
	Issue introduced in 6.6.17 with commit 6eecddd9c3c8d6e3a097531cdc6d500335b35e46 and fixed in 6.6.59 with commit 681ce79ab6fba2f8d1c5ea60239f0086baebd0d3
	Issue introduced in 6.8 with commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 and fixed in 6.11.6 with commit 32f054f93937b548c61b3bf57d8f4aefc50f3b16
	Issue introduced in 6.8 with commit ba5e1272142d051dcc57ca1d3225ad8a089f9858 and fixed in 6.12 with commit a1494d532e28598bde7a5544892ef9c7dbfafa93
	Issue introduced in 6.7.5 with commit d91964cdada76740811b7c621239f9c407820dbc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50155
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/netdevsim/dev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/24973f4b64f93232a48fe78029385de762a2418d
	https://git.kernel.org/stable/c/681ce79ab6fba2f8d1c5ea60239f0086baebd0d3
	https://git.kernel.org/stable/c/32f054f93937b548c61b3bf57d8f4aefc50f3b16
	https://git.kernel.org/stable/c/a1494d532e28598bde7a5544892ef9c7dbfafa93