cve/published/2024/CVE-2024-53097.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53097: mm: krealloc: Fix MTE false alarm in __do_krealloc

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm: krealloc: Fix MTE false alarm in __do_krealloc

 This patch addresses an issue introduced by commit 1a83a716ec233 ("mm:
 krealloc: consider spare memory for __GFP_ZERO") which causes MTE
 (Memory Tagging Extension) to falsely report a slab-out-of-bounds error.

 The problem occurs when zeroing out spare memory in __do_krealloc. The
 original code only considered software-based KASAN and did not account
 for MTE. It does not reset the KASAN tag before calling memset, leading
 to a mismatch between the pointer tag and the memory tag, resulting
 in a false positive.

 Example of the error:
 ==================================================================
 swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188
 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1
 swapper/0: Pointer tag: [f4], memory tag: [fe]
 swapper/0:
 swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.
 swapper/0: Hardware name: MT6991(ENG) (DT)
 swapper/0: Call trace:
 swapper/0:  dump_backtrace+0xfc/0x17c
 swapper/0:  show_stack+0x18/0x28
 swapper/0:  dump_stack_lvl+0x40/0xa0
 swapper/0:  print_report+0x1b8/0x71c
 swapper/0:  kasan_report+0xec/0x14c
 swapper/0:  __do_kernel_fault+0x60/0x29c
 swapper/0:  do_bad_area+0x30/0xdc
 swapper/0:  do_tag_check_fault+0x20/0x34
 swapper/0:  do_mem_abort+0x58/0x104
 swapper/0:  el1_abort+0x3c/0x5c
 swapper/0:  el1h_64_sync_handler+0x80/0xcc
 swapper/0:  el1h_64_sync+0x68/0x6c
 swapper/0:  __memset+0x84/0x188
 swapper/0:  btf_populate_kfunc_set+0x280/0x3d8
 swapper/0:  __register_btf_kfunc_id_set+0x43c/0x468
 swapper/0:  register_btf_kfunc_id_set+0x48/0x60
 swapper/0:  register_nf_nat_bpf+0x1c/0x40
 swapper/0:  nf_nat_init+0xc0/0x128
 swapper/0:  do_one_initcall+0x184/0x464
 swapper/0:  do_initcall_level+0xdc/0x1b0
 swapper/0:  do_initcalls+0x70/0xc0
 swapper/0:  do_basic_setup+0x1c/0x28
 swapper/0:  kernel_init_freeable+0x144/0x1b8
 swapper/0:  kernel_init+0x20/0x1a8
 swapper/0:  ret_from_fork+0x10/0x20
 ==================================================================

 The Linux kernel CVE team has assigned CVE-2024-53097 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.227 with commit a543785856249a5ba8c20468098601c0c33b1224 and fixed in 5.10.230 with commit d02492863023431c31f85d570f718433c22b9311
 	Issue introduced in 5.15.168 with commit 44f79667fefd52945a44d2a57a2cd3c554d7f4e0 and fixed in 5.15.173 with commit d43f1430d47c22a0727c05b6f156ed25fecdfeb4
 	Issue introduced in 6.1.113 with commit f8767d10bcbc2529540eb906906c0058e15cd918 and fixed in 6.1.118 with commit 486aeb5f1855c75dd810c25036134961bd2a6722
 	Issue introduced in 6.6.55 with commit e3a9fc1520a6606c6121aca8d6679c6b93de7fd8 and fixed in 6.6.62 with commit 71548fada7ee0eb50cc6ccda82dff010c745f92c
 	Issue introduced in 6.11.3 with commit 3e9a65a38706866bf93e19f5b4936465188add10 and fixed in 6.11.9 with commit 3dfb40da84f26dd35dd9bbaf626a2424565b8406
 	Issue introduced in 6.10.14 with commit 73388659ef0eea51747350530afdeadf8809ce9c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53097
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/slab_common.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8ebee7565effdeae6085458f8f8463363120a871
 	https://git.kernel.org/stable/c/d02492863023431c31f85d570f718433c22b9311
 	https://git.kernel.org/stable/c/d43f1430d47c22a0727c05b6f156ed25fecdfeb4
 	https://git.kernel.org/stable/c/486aeb5f1855c75dd810c25036134961bd2a6722
 	https://git.kernel.org/stable/c/71548fada7ee0eb50cc6ccda82dff010c745f92c
 	https://git.kernel.org/stable/c/3dfb40da84f26dd35dd9bbaf626a2424565b8406
 	https://git.kernel.org/stable/c/704573851b51808b45dae2d62059d1d8189138a2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53097: mm: krealloc: Fix MTE false alarm in __do_krealloc

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm: krealloc: Fix MTE false alarm in __do_krealloc

	This patch addresses an issue introduced by commit 1a83a716ec233 ("mm:
	krealloc: consider spare memory for __GFP_ZERO") which causes MTE
	(Memory Tagging Extension) to falsely report a slab-out-of-bounds error.

	The problem occurs when zeroing out spare memory in __do_krealloc. The
	original code only considered software-based KASAN and did not account
	for MTE. It does not reset the KASAN tag before calling memset, leading
	to a mismatch between the pointer tag and the memory tag, resulting
	in a false positive.

	Example of the error:
	==================================================================
	swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188
	swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1
	swapper/0: Pointer tag: [f4], memory tag: [fe]
	swapper/0:
	swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.
	swapper/0: Hardware name: MT6991(ENG) (DT)
	swapper/0: Call trace:
	swapper/0: dump_backtrace+0xfc/0x17c
	swapper/0: show_stack+0x18/0x28
	swapper/0: dump_stack_lvl+0x40/0xa0
	swapper/0: print_report+0x1b8/0x71c
	swapper/0: kasan_report+0xec/0x14c
	swapper/0: __do_kernel_fault+0x60/0x29c
	swapper/0: do_bad_area+0x30/0xdc
	swapper/0: do_tag_check_fault+0x20/0x34
	swapper/0: do_mem_abort+0x58/0x104
	swapper/0: el1_abort+0x3c/0x5c
	swapper/0: el1h_64_sync_handler+0x80/0xcc
	swapper/0: el1h_64_sync+0x68/0x6c
	swapper/0: __memset+0x84/0x188
	swapper/0: btf_populate_kfunc_set+0x280/0x3d8
	swapper/0: __register_btf_kfunc_id_set+0x43c/0x468
	swapper/0: register_btf_kfunc_id_set+0x48/0x60
	swapper/0: register_nf_nat_bpf+0x1c/0x40
	swapper/0: nf_nat_init+0xc0/0x128
	swapper/0: do_one_initcall+0x184/0x464
	swapper/0: do_initcall_level+0xdc/0x1b0
	swapper/0: do_initcalls+0x70/0xc0
	swapper/0: do_basic_setup+0x1c/0x28
	swapper/0: kernel_init_freeable+0x144/0x1b8
	swapper/0: kernel_init+0x20/0x1a8
	swapper/0: ret_from_fork+0x10/0x20
	==================================================================

	The Linux kernel CVE team has assigned CVE-2024-53097 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.227 with commit a543785856249a5ba8c20468098601c0c33b1224 and fixed in 5.10.230 with commit d02492863023431c31f85d570f718433c22b9311
	Issue introduced in 5.15.168 with commit 44f79667fefd52945a44d2a57a2cd3c554d7f4e0 and fixed in 5.15.173 with commit d43f1430d47c22a0727c05b6f156ed25fecdfeb4
	Issue introduced in 6.1.113 with commit f8767d10bcbc2529540eb906906c0058e15cd918 and fixed in 6.1.118 with commit 486aeb5f1855c75dd810c25036134961bd2a6722
	Issue introduced in 6.6.55 with commit e3a9fc1520a6606c6121aca8d6679c6b93de7fd8 and fixed in 6.6.62 with commit 71548fada7ee0eb50cc6ccda82dff010c745f92c
	Issue introduced in 6.11.3 with commit 3e9a65a38706866bf93e19f5b4936465188add10 and fixed in 6.11.9 with commit 3dfb40da84f26dd35dd9bbaf626a2424565b8406
	Issue introduced in 6.10.14 with commit 73388659ef0eea51747350530afdeadf8809ce9c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53097
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/slab_common.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8ebee7565effdeae6085458f8f8463363120a871
	https://git.kernel.org/stable/c/d02492863023431c31f85d570f718433c22b9311
	https://git.kernel.org/stable/c/d43f1430d47c22a0727c05b6f156ed25fecdfeb4
	https://git.kernel.org/stable/c/486aeb5f1855c75dd810c25036134961bd2a6722
	https://git.kernel.org/stable/c/71548fada7ee0eb50cc6ccda82dff010c745f92c
	https://git.kernel.org/stable/c/3dfb40da84f26dd35dd9bbaf626a2424565b8406
	https://git.kernel.org/stable/c/704573851b51808b45dae2d62059d1d8189138a2