cve/published/2024/CVE-2024-53166.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53166: block, bfq: fix bfqq uaf in bfq_limit_depth()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 block, bfq: fix bfqq uaf in bfq_limit_depth()

 Set new allocated bfqq to bic or remove freed bfqq from bic are both
 protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq
 from bic without the lock, this can lead to UAF if the io_context is
 shared by multiple tasks.

 For example, test bfq with io_uring can trigger following UAF in v6.6:

 ==================================================================
 BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50

 Call Trace:
  <TASK>
  dump_stack_lvl+0x47/0x80
  print_address_description.constprop.0+0x66/0x300
  print_report+0x3e/0x70
  kasan_report+0xb4/0xf0
  bfqq_group+0x15/0x50
  bfqq_request_over_limit+0x130/0x9a0
  bfq_limit_depth+0x1b5/0x480
  __blk_mq_alloc_requests+0x2b5/0xa00
  blk_mq_get_new_requests+0x11d/0x1d0
  blk_mq_submit_bio+0x286/0xb00
  submit_bio_noacct_nocheck+0x331/0x400
  __block_write_full_folio+0x3d0/0x640
  writepage_cb+0x3b/0xc0
  write_cache_pages+0x254/0x6c0
  write_cache_pages+0x254/0x6c0
  do_writepages+0x192/0x310
  filemap_fdatawrite_wbc+0x95/0xc0
  __filemap_fdatawrite_range+0x99/0xd0
  filemap_write_and_wait_range.part.0+0x4d/0xa0
  blkdev_read_iter+0xef/0x1e0
  io_read+0x1b6/0x8a0
  io_issue_sqe+0x87/0x300
  io_wq_submit_work+0xeb/0x390
  io_worker_handle_work+0x24d/0x550
  io_wq_worker+0x27f/0x6c0
  ret_from_fork_asm+0x1b/0x30
  </TASK>

 Allocated by task 808602:
  kasan_save_stack+0x1e/0x40
  kasan_set_track+0x21/0x30
  __kasan_slab_alloc+0x83/0x90
  kmem_cache_alloc_node+0x1b1/0x6d0
  bfq_get_queue+0x138/0xfa0
  bfq_get_bfqq_handle_split+0xe3/0x2c0
  bfq_init_rq+0x196/0xbb0
  bfq_insert_request.isra.0+0xb5/0x480
  bfq_insert_requests+0x156/0x180
  blk_mq_insert_request+0x15d/0x440
  blk_mq_submit_bio+0x8a4/0xb00
  submit_bio_noacct_nocheck+0x331/0x400
  __blkdev_direct_IO_async+0x2dd/0x330
  blkdev_write_iter+0x39a/0x450
  io_write+0x22a/0x840
  io_issue_sqe+0x87/0x300
  io_wq_submit_work+0xeb/0x390
  io_worker_handle_work+0x24d/0x550
  io_wq_worker+0x27f/0x6c0
  ret_from_fork+0x2d/0x50
  ret_from_fork_asm+0x1b/0x30

 Freed by task 808589:
  kasan_save_stack+0x1e/0x40
  kasan_set_track+0x21/0x30
  kasan_save_free_info+0x27/0x40
  __kasan_slab_free+0x126/0x1b0
  kmem_cache_free+0x10c/0x750
  bfq_put_queue+0x2dd/0x770
  __bfq_insert_request.isra.0+0x155/0x7a0
  bfq_insert_request.isra.0+0x122/0x480
  bfq_insert_requests+0x156/0x180
  blk_mq_dispatch_plug_list+0x528/0x7e0
  blk_mq_flush_plug_list.part.0+0xe5/0x590
  __blk_flush_plug+0x3b/0x90
  blk_finish_plug+0x40/0x60
  do_writepages+0x19d/0x310
  filemap_fdatawrite_wbc+0x95/0xc0
  __filemap_fdatawrite_range+0x99/0xd0
  filemap_write_and_wait_range.part.0+0x4d/0xa0
  blkdev_read_iter+0xef/0x1e0
  io_read+0x1b6/0x8a0
  io_issue_sqe+0x87/0x300
  io_wq_submit_work+0xeb/0x390
  io_worker_handle_work+0x24d/0x550
  io_wq_worker+0x27f/0x6c0
  ret_from_fork+0x2d/0x50
  ret_from_fork_asm+0x1b/0x30

 Fix the problem by protecting bic_to_bfqq() with bfqd->lock.

 The Linux kernel CVE team has assigned CVE-2024-53166 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.1.130 with commit ada4ca5fd5a9d5212f28164d49a4885951c979c9
 	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.6.64 with commit 906cdbdd3b018ff69cc830173bce277a847d4fdc
 	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.11.11 with commit dcaa738afde55085ac6056252e319479cf23cde2
 	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.12.2 with commit 01a853faaeaf3379ccf358ade582b1d28752126e
 	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.13 with commit e8b8344de3980709080d86c157d24e7de07d70ad

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53166
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	block/bfq-iosched.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ada4ca5fd5a9d5212f28164d49a4885951c979c9
 	https://git.kernel.org/stable/c/906cdbdd3b018ff69cc830173bce277a847d4fdc
 	https://git.kernel.org/stable/c/dcaa738afde55085ac6056252e319479cf23cde2
 	https://git.kernel.org/stable/c/01a853faaeaf3379ccf358ade582b1d28752126e
 	https://git.kernel.org/stable/c/e8b8344de3980709080d86c157d24e7de07d70ad
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53166: block, bfq: fix bfqq uaf in bfq_limit_depth()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	block, bfq: fix bfqq uaf in bfq_limit_depth()

	Set new allocated bfqq to bic or remove freed bfqq from bic are both
	protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq
	from bic without the lock, this can lead to UAF if the io_context is
	shared by multiple tasks.

	For example, test bfq with io_uring can trigger following UAF in v6.6:

	==================================================================
	BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50

	Call Trace:
	<TASK>
	dump_stack_lvl+0x47/0x80
	print_address_description.constprop.0+0x66/0x300
	print_report+0x3e/0x70
	kasan_report+0xb4/0xf0
	bfqq_group+0x15/0x50
	bfqq_request_over_limit+0x130/0x9a0
	bfq_limit_depth+0x1b5/0x480
	__blk_mq_alloc_requests+0x2b5/0xa00
	blk_mq_get_new_requests+0x11d/0x1d0
	blk_mq_submit_bio+0x286/0xb00
	submit_bio_noacct_nocheck+0x331/0x400
	__block_write_full_folio+0x3d0/0x640
	writepage_cb+0x3b/0xc0
	write_cache_pages+0x254/0x6c0
	write_cache_pages+0x254/0x6c0
	do_writepages+0x192/0x310
	filemap_fdatawrite_wbc+0x95/0xc0
	__filemap_fdatawrite_range+0x99/0xd0
	filemap_write_and_wait_range.part.0+0x4d/0xa0
	blkdev_read_iter+0xef/0x1e0
	io_read+0x1b6/0x8a0
	io_issue_sqe+0x87/0x300
	io_wq_submit_work+0xeb/0x390
	io_worker_handle_work+0x24d/0x550
	io_wq_worker+0x27f/0x6c0
	ret_from_fork_asm+0x1b/0x30
	</TASK>

	Allocated by task 808602:
	kasan_save_stack+0x1e/0x40
	kasan_set_track+0x21/0x30
	__kasan_slab_alloc+0x83/0x90
	kmem_cache_alloc_node+0x1b1/0x6d0
	bfq_get_queue+0x138/0xfa0
	bfq_get_bfqq_handle_split+0xe3/0x2c0
	bfq_init_rq+0x196/0xbb0
	bfq_insert_request.isra.0+0xb5/0x480
	bfq_insert_requests+0x156/0x180
	blk_mq_insert_request+0x15d/0x440
	blk_mq_submit_bio+0x8a4/0xb00
	submit_bio_noacct_nocheck+0x331/0x400
	__blkdev_direct_IO_async+0x2dd/0x330
	blkdev_write_iter+0x39a/0x450
	io_write+0x22a/0x840
	io_issue_sqe+0x87/0x300
	io_wq_submit_work+0xeb/0x390
	io_worker_handle_work+0x24d/0x550
	io_wq_worker+0x27f/0x6c0
	ret_from_fork+0x2d/0x50
	ret_from_fork_asm+0x1b/0x30

	Freed by task 808589:
	kasan_save_stack+0x1e/0x40
	kasan_set_track+0x21/0x30
	kasan_save_free_info+0x27/0x40
	__kasan_slab_free+0x126/0x1b0
	kmem_cache_free+0x10c/0x750
	bfq_put_queue+0x2dd/0x770
	__bfq_insert_request.isra.0+0x155/0x7a0
	bfq_insert_request.isra.0+0x122/0x480
	bfq_insert_requests+0x156/0x180
	blk_mq_dispatch_plug_list+0x528/0x7e0
	blk_mq_flush_plug_list.part.0+0xe5/0x590
	__blk_flush_plug+0x3b/0x90
	blk_finish_plug+0x40/0x60
	do_writepages+0x19d/0x310
	filemap_fdatawrite_wbc+0x95/0xc0
	__filemap_fdatawrite_range+0x99/0xd0
	filemap_write_and_wait_range.part.0+0x4d/0xa0
	blkdev_read_iter+0xef/0x1e0
	io_read+0x1b6/0x8a0
	io_issue_sqe+0x87/0x300
	io_wq_submit_work+0xeb/0x390
	io_worker_handle_work+0x24d/0x550
	io_wq_worker+0x27f/0x6c0
	ret_from_fork+0x2d/0x50
	ret_from_fork_asm+0x1b/0x30

	Fix the problem by protecting bic_to_bfqq() with bfqd->lock.

	The Linux kernel CVE team has assigned CVE-2024-53166 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.1.130 with commit ada4ca5fd5a9d5212f28164d49a4885951c979c9
	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.6.64 with commit 906cdbdd3b018ff69cc830173bce277a847d4fdc
	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.11.11 with commit dcaa738afde55085ac6056252e319479cf23cde2
	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.12.2 with commit 01a853faaeaf3379ccf358ade582b1d28752126e
	Issue introduced in 5.17 with commit 76f1df88bbc2f984eb0418cc90de0a8384e63604 and fixed in 6.13 with commit e8b8344de3980709080d86c157d24e7de07d70ad

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53166
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	block/bfq-iosched.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ada4ca5fd5a9d5212f28164d49a4885951c979c9
	https://git.kernel.org/stable/c/906cdbdd3b018ff69cc830173bce277a847d4fdc
	https://git.kernel.org/stable/c/dcaa738afde55085ac6056252e319479cf23cde2
	https://git.kernel.org/stable/c/01a853faaeaf3379ccf358ade582b1d28752126e
	https://git.kernel.org/stable/c/e8b8344de3980709080d86c157d24e7de07d70ad