cve/published/2024/CVE-2024-50278.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50278: dm cache: fix potential out-of-bounds access on the first resume

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm cache: fix potential out-of-bounds access on the first resume

 Out-of-bounds access occurs if the fast device is expanded unexpectedly
 before the first-time resume of the cache table. This happens because
 expanding the fast device requires reloading the cache table for
 cache_create to allocate new in-core data structures that fit the new
 size, and the check in cache_preresume is not performed during the
 first resume, leading to the issue.

 Reproduce steps:

 1. prepare component devices:

 dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
 dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
 dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
 dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

 2. load a cache table of 512 cache blocks, and deliberately expand the
    fast device before resuming the cache, making the in-core data
    structures inadequate.

 dmsetup create cache --notable
 dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
 /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
 dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
 dmsetup resume cdata
 dmsetup resume cache

 3. suspend the cache to write out the in-core dirty bitset and hint
    array, leading to out-of-bounds access to the dirty bitset at offset
    0x40:

 dmsetup suspend cache

 KASAN reports:

   BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
   Read of size 8 at addr ffffc90000085040 by task dmsetup/90

   (...snip...)
   The buggy address belongs to the virtual mapping at
    [ffffc90000085000, ffffc90000087000) created by:
    cache_ctr+0x176a/0x35f0

   (...snip...)
   Memory state around the buggy address:
    ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                              ^
    ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

 Fix by checking the size change on the first resume.

 The Linux kernel CVE team has assigned CVE-2024-50278 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 4.19.324 with commit e492f71854ce03474d49e87fd98b8df1f7cd1d2d
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.4.286 with commit 2222b0929d00e2d13732b799b63be391b5de4492
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.10.230 with commit 483b7261b35a9d369082ab298a6670912243f0be
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.15.172 with commit fdef3b94dfebd57e3077a578b6e309a2bb6fa688
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.1.117 with commit c52ec00cb2f9bebfada22edcc0db385b910a1cdb
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.6.61 with commit 036dd6e3d2638103e0092864577ea1d091466b86
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.11.8 with commit 13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
 	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.12 with commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50278
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-cache-target.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d
 	https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492
 	https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be
 	https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688
 	https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb
 	https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86
 	https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
 	https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50278: dm cache: fix potential out-of-bounds access on the first resume

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm cache: fix potential out-of-bounds access on the first resume

	Out-of-bounds access occurs if the fast device is expanded unexpectedly
	before the first-time resume of the cache table. This happens because
	expanding the fast device requires reloading the cache table for
	cache_create to allocate new in-core data structures that fit the new
	size, and the check in cache_preresume is not performed during the
	first resume, leading to the issue.

	Reproduce steps:

	1. prepare component devices:

	dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
	dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
	dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
	dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

	2. load a cache table of 512 cache blocks, and deliberately expand the
	fast device before resuming the cache, making the in-core data
	structures inadequate.

	dmsetup create cache --notable
	dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
	/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
	dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
	dmsetup resume cdata
	dmsetup resume cache

	3. suspend the cache to write out the in-core dirty bitset and hint
	array, leading to out-of-bounds access to the dirty bitset at offset
	0x40:

	dmsetup suspend cache

	KASAN reports:

	BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
	Read of size 8 at addr ffffc90000085040 by task dmsetup/90

	(...snip...)
	The buggy address belongs to the virtual mapping at
	[ffffc90000085000, ffffc90000087000) created by:
	cache_ctr+0x176a/0x35f0

	(...snip...)
	Memory state around the buggy address:
	ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	>ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
	^
	ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
	ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

	Fix by checking the size change on the first resume.

	The Linux kernel CVE team has assigned CVE-2024-50278 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 4.19.324 with commit e492f71854ce03474d49e87fd98b8df1f7cd1d2d
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.4.286 with commit 2222b0929d00e2d13732b799b63be391b5de4492
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.10.230 with commit 483b7261b35a9d369082ab298a6670912243f0be
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 5.15.172 with commit fdef3b94dfebd57e3077a578b6e309a2bb6fa688
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.1.117 with commit c52ec00cb2f9bebfada22edcc0db385b910a1cdb
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.6.61 with commit 036dd6e3d2638103e0092864577ea1d091466b86
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.11.8 with commit 13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
	Issue introduced in 3.13 with commit f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 and fixed in 6.12 with commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50278
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-cache-target.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d
	https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492
	https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be
	https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688
	https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb
	https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86
	https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
	https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d