cve/published/2024/CVE-2024-53128.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53128: sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

 When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
 object_is_on_stack() function may produce incorrect results due to the
 presence of tags in the obj pointer, while the stack pointer does not have
 tags.  This discrepancy can lead to incorrect stack object detection and
 subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.

 Example of the warning:

 ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
 Modules linked in:
 CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
 Hardware name: linux,dummy-virt (DT)
 pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : __debug_object_init+0x330/0x364
 lr : __debug_object_init+0x330/0x364
 sp : ffff800082ea7b40
 x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
 x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
 x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
 x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
 x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
 x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
 x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
 x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
 x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
 x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
 Call trace:
  __debug_object_init+0x330/0x364
  debug_object_init_on_stack+0x30/0x3c
  schedule_hrtimeout_range_clock+0xac/0x26c
  schedule_hrtimeout+0x1c/0x30
  wait_task_inactive+0x1d4/0x25c
  kthread_bind_mask+0x28/0x98
  init_rescuer+0x1e8/0x280
  workqueue_init+0x1a0/0x3cc
  kernel_init_freeable+0x118/0x200
  kernel_init+0x28/0x1f0
  ret_from_fork+0x10/0x20
 ---[ end trace 0000000000000000 ]---
 ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
 ------------[ cut here ]------------

 The Linux kernel CVE team has assigned CVE-2024-53128 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.181 with commit 82e813b12b10ff705f3f5d600d8492fc5248618b
 	Fixed in 6.1.125 with commit 397383db9c69470642ac95beb04f2150928d663b
 	Fixed in 6.6.69 with commit 2d2b19ed4169c38dc6c61a186c5f7bdafc709691
 	Fixed in 6.11.10 with commit fbfe23012cec509dfbe09852019c4e4bb84999d0
 	Fixed in 6.12 with commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53128
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/sched/task_stack.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/82e813b12b10ff705f3f5d600d8492fc5248618b
 	https://git.kernel.org/stable/c/397383db9c69470642ac95beb04f2150928d663b
 	https://git.kernel.org/stable/c/2d2b19ed4169c38dc6c61a186c5f7bdafc709691
 	https://git.kernel.org/stable/c/fbfe23012cec509dfbe09852019c4e4bb84999d0
 	https://git.kernel.org/stable/c/fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53128: sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers

	When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
	object_is_on_stack() function may produce incorrect results due to the
	presence of tags in the obj pointer, while the stack pointer does not have
	tags. This discrepancy can lead to incorrect stack object detection and
	subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.

	Example of the warning:

	ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
	Modules linked in:
	CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
	Hardware name: linux,dummy-virt (DT)
	pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : __debug_object_init+0x330/0x364
	lr : __debug_object_init+0x330/0x364
	sp : ffff800082ea7b40
	x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
	x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
	x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
	x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
	x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
	x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
	x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
	x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
	x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
	x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
	Call trace:
	__debug_object_init+0x330/0x364
	debug_object_init_on_stack+0x30/0x3c
	schedule_hrtimeout_range_clock+0xac/0x26c
	schedule_hrtimeout+0x1c/0x30
	wait_task_inactive+0x1d4/0x25c
	kthread_bind_mask+0x28/0x98
	init_rescuer+0x1e8/0x280
	workqueue_init+0x1a0/0x3cc
	kernel_init_freeable+0x118/0x200
	kernel_init+0x28/0x1f0
	ret_from_fork+0x10/0x20
	---[ end trace 0000000000000000 ]---
	ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
	------------[ cut here ]------------

	The Linux kernel CVE team has assigned CVE-2024-53128 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.181 with commit 82e813b12b10ff705f3f5d600d8492fc5248618b
	Fixed in 6.1.125 with commit 397383db9c69470642ac95beb04f2150928d663b
	Fixed in 6.6.69 with commit 2d2b19ed4169c38dc6c61a186c5f7bdafc709691
	Fixed in 6.11.10 with commit fbfe23012cec509dfbe09852019c4e4bb84999d0
	Fixed in 6.12 with commit fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53128
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/sched/task_stack.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/82e813b12b10ff705f3f5d600d8492fc5248618b
	https://git.kernel.org/stable/c/397383db9c69470642ac95beb04f2150928d663b
	https://git.kernel.org/stable/c/2d2b19ed4169c38dc6c61a186c5f7bdafc709691
	https://git.kernel.org/stable/c/fbfe23012cec509dfbe09852019c4e4bb84999d0
	https://git.kernel.org/stable/c/fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58