cve/published/2024/CVE-2024-53183.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53183: um: net: Do not use drvdata in release

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 um: net: Do not use drvdata in release

 The drvdata is not available in release. Let's just use container_of()
 to get the uml_net instance. Otherwise, removing a network device will
 result in a crash:

 RIP: 0033:net_device_release+0x10/0x6f
 RSP: 00000000e20c7c40  EFLAGS: 00010206
 RAX: 000000006002e4e7 RBX: 00000000600f1baf RCX: 00000000624074e0
 RDX: 0000000062778000 RSI: 0000000060551c80 RDI: 00000000627af028
 RBP: 00000000e20c7c50 R08: 00000000603ad594 R09: 00000000e20c7b70
 R10: 000000000000135a R11: 00000000603ad422 R12: 0000000000000000
 R13: 0000000062c7af00 R14: 0000000062406d60 R15: 00000000627700b6
 Kernel panic - not syncing: Segfault with no mm
 CPU: 0 UID: 0 PID: 29 Comm: kworker/0:2 Not tainted 6.12.0-rc6-g59b723cd2adb #1
 Workqueue: events mc_work_proc
 Stack:
  627af028 62c7af00 e20c7c80 60276fcd
  62778000 603f5820 627af028 00000000
  e20c7cb0 603a2bcd 627af000 62770010
 Call Trace:
  [<60276fcd>] device_release+0x70/0xba
  [<603a2bcd>] kobject_put+0xba/0xe7
  [<60277265>] put_device+0x19/0x1c
  [<60281266>] platform_device_put+0x26/0x29
  [<60281e5f>] platform_device_unregister+0x2c/0x2e
  [<6002ec9c>] net_remove+0x63/0x69
  [<60031316>] ? mconsole_reply+0x0/0x50
  [<600310c8>] mconsole_remove+0x160/0x1cc
  [<60087d40>] ? __remove_hrtimer+0x38/0x74
  [<60087ff8>] ? hrtimer_try_to_cancel+0x8c/0x98
  [<6006b3cf>] ? dl_server_stop+0x3f/0x48
  [<6006b390>] ? dl_server_stop+0x0/0x48
  [<600672e8>] ? dequeue_entities+0x327/0x390
  [<60038fa6>] ? um_set_signals+0x0/0x43
  [<6003070c>] mc_work_proc+0x77/0x91
  [<60057664>] process_scheduled_works+0x1b3/0x2dd
  [<60055f32>] ? assign_work+0x0/0x58
  [<60057f0a>] worker_thread+0x1e9/0x293
  [<6005406f>] ? set_pf_worker+0x0/0x64
  [<6005d65d>] ? arch_local_irq_save+0x0/0x2d
  [<6005d748>] ? kthread_exit+0x0/0x3a
  [<60057d21>] ? worker_thread+0x0/0x293
  [<6005dbf1>] kthread+0x126/0x12b
  [<600219c5>] new_thread_handler+0x85/0xb6

 The Linux kernel CVE team has assigned CVE-2024-53183 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.325 with commit b174ab33aaafd556a1ead72fa8e35d70b6fb1e39
 	Fixed in 5.4.287 with commit 8d9d174d3f55daaf5e7b48e9d7f53c723adbed86
 	Fixed in 5.10.231 with commit 6be99d4c117b9642a44d9f54f034b67615be2b2b
 	Fixed in 5.15.174 with commit 1635d9a0ff1b8bd7aa4767d4ea7b3de72cd36f28
 	Fixed in 6.1.120 with commit 160cd5f956d191eb97664afd31ca59284c08d876
 	Fixed in 6.6.64 with commit cdbd5a1dcdc2c27ac076f91b03b9add3fefa1a82
 	Fixed in 6.11.11 with commit 468c2e5394afc848efb1eae6e1961a3c855cf35e
 	Fixed in 6.12.2 with commit f04cd022ee1fde219e0db1086c27a0a5ba1914db
 	Fixed in 6.13 with commit d1db692a9be3b4bd3473b64fcae996afaffe8438

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53183
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/um/drivers/net_kern.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b174ab33aaafd556a1ead72fa8e35d70b6fb1e39
 	https://git.kernel.org/stable/c/8d9d174d3f55daaf5e7b48e9d7f53c723adbed86
 	https://git.kernel.org/stable/c/6be99d4c117b9642a44d9f54f034b67615be2b2b
 	https://git.kernel.org/stable/c/1635d9a0ff1b8bd7aa4767d4ea7b3de72cd36f28
 	https://git.kernel.org/stable/c/160cd5f956d191eb97664afd31ca59284c08d876
 	https://git.kernel.org/stable/c/cdbd5a1dcdc2c27ac076f91b03b9add3fefa1a82
 	https://git.kernel.org/stable/c/468c2e5394afc848efb1eae6e1961a3c855cf35e
 	https://git.kernel.org/stable/c/f04cd022ee1fde219e0db1086c27a0a5ba1914db
 	https://git.kernel.org/stable/c/d1db692a9be3b4bd3473b64fcae996afaffe8438
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53183: um: net: Do not use drvdata in release

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	um: net: Do not use drvdata in release

	The drvdata is not available in release. Let's just use container_of()
	to get the uml_net instance. Otherwise, removing a network device will
	result in a crash:

	RIP: 0033:net_device_release+0x10/0x6f
	RSP: 00000000e20c7c40 EFLAGS: 00010206
	RAX: 000000006002e4e7 RBX: 00000000600f1baf RCX: 00000000624074e0
	RDX: 0000000062778000 RSI: 0000000060551c80 RDI: 00000000627af028
	RBP: 00000000e20c7c50 R08: 00000000603ad594 R09: 00000000e20c7b70
	R10: 000000000000135a R11: 00000000603ad422 R12: 0000000000000000
	R13: 0000000062c7af00 R14: 0000000062406d60 R15: 00000000627700b6
	Kernel panic - not syncing: Segfault with no mm
	CPU: 0 UID: 0 PID: 29 Comm: kworker/0:2 Not tainted 6.12.0-rc6-g59b723cd2adb #1
	Workqueue: events mc_work_proc
	Stack:
	627af028 62c7af00 e20c7c80 60276fcd
	62778000 603f5820 627af028 00000000
	e20c7cb0 603a2bcd 627af000 62770010
	Call Trace:
	[<60276fcd>] device_release+0x70/0xba
	[<603a2bcd>] kobject_put+0xba/0xe7
	[<60277265>] put_device+0x19/0x1c
	[<60281266>] platform_device_put+0x26/0x29
	[<60281e5f>] platform_device_unregister+0x2c/0x2e
	[<6002ec9c>] net_remove+0x63/0x69
	[<60031316>] ? mconsole_reply+0x0/0x50
	[<600310c8>] mconsole_remove+0x160/0x1cc
	[<60087d40>] ? __remove_hrtimer+0x38/0x74
	[<60087ff8>] ? hrtimer_try_to_cancel+0x8c/0x98
	[<6006b3cf>] ? dl_server_stop+0x3f/0x48
	[<6006b390>] ? dl_server_stop+0x0/0x48
	[<600672e8>] ? dequeue_entities+0x327/0x390
	[<60038fa6>] ? um_set_signals+0x0/0x43
	[<6003070c>] mc_work_proc+0x77/0x91
	[<60057664>] process_scheduled_works+0x1b3/0x2dd
	[<60055f32>] ? assign_work+0x0/0x58
	[<60057f0a>] worker_thread+0x1e9/0x293
	[<6005406f>] ? set_pf_worker+0x0/0x64
	[<6005d65d>] ? arch_local_irq_save+0x0/0x2d
	[<6005d748>] ? kthread_exit+0x0/0x3a
	[<60057d21>] ? worker_thread+0x0/0x293
	[<6005dbf1>] kthread+0x126/0x12b
	[<600219c5>] new_thread_handler+0x85/0xb6

	The Linux kernel CVE team has assigned CVE-2024-53183 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.325 with commit b174ab33aaafd556a1ead72fa8e35d70b6fb1e39
	Fixed in 5.4.287 with commit 8d9d174d3f55daaf5e7b48e9d7f53c723adbed86
	Fixed in 5.10.231 with commit 6be99d4c117b9642a44d9f54f034b67615be2b2b
	Fixed in 5.15.174 with commit 1635d9a0ff1b8bd7aa4767d4ea7b3de72cd36f28
	Fixed in 6.1.120 with commit 160cd5f956d191eb97664afd31ca59284c08d876
	Fixed in 6.6.64 with commit cdbd5a1dcdc2c27ac076f91b03b9add3fefa1a82
	Fixed in 6.11.11 with commit 468c2e5394afc848efb1eae6e1961a3c855cf35e
	Fixed in 6.12.2 with commit f04cd022ee1fde219e0db1086c27a0a5ba1914db
	Fixed in 6.13 with commit d1db692a9be3b4bd3473b64fcae996afaffe8438

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53183
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/um/drivers/net_kern.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b174ab33aaafd556a1ead72fa8e35d70b6fb1e39
	https://git.kernel.org/stable/c/8d9d174d3f55daaf5e7b48e9d7f53c723adbed86
	https://git.kernel.org/stable/c/6be99d4c117b9642a44d9f54f034b67615be2b2b
	https://git.kernel.org/stable/c/1635d9a0ff1b8bd7aa4767d4ea7b3de72cd36f28
	https://git.kernel.org/stable/c/160cd5f956d191eb97664afd31ca59284c08d876
	https://git.kernel.org/stable/c/cdbd5a1dcdc2c27ac076f91b03b9add3fefa1a82
	https://git.kernel.org/stable/c/468c2e5394afc848efb1eae6e1961a3c855cf35e
	https://git.kernel.org/stable/c/f04cd022ee1fde219e0db1086c27a0a5ba1914db
	https://git.kernel.org/stable/c/d1db692a9be3b4bd3473b64fcae996afaffe8438