cve/published/2024/CVE-2024-53198.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53198: xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

 This patch fixes an issue in the function xenbus_dev_probe(). In the
 xenbus_dev_probe() function, within the if (err) branch at line 313, the
 program incorrectly returns err directly without releasing the resources
 allocated by err = drv->probe(dev, id). As the return value is non-zero,
 the upper layers assume the processing logic has failed. However, the probe
 operation was performed earlier without a corresponding remove operation.
 Since the probe actually allocates resources, failing to perform the remove
 operation could lead to problems.

 To fix this issue, we followed the resource release logic of the
 xenbus_dev_remove() function by adding a new block fail_remove before the
 fail_put block. After entering the branch if (err) at line 313, the
 function will use a goto statement to jump to the fail_remove block,
 ensuring that the previously acquired resources are correctly released,
 thus preventing the reference count leak.

 This bug was identified by an experimental static analysis tool developed
 by our team. The tool specializes in analyzing reference count operations
 and detecting potential issues where resources are not properly managed.
 In this case, the tool flagged the missing release operation as a
 potential problem, which led to the development of this patch.

 The Linux kernel CVE team has assigned CVE-2024-53198 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.4.287 with commit 87106169b4ce26f85561f953d13d1fd86d99b612
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.10.231 with commit 0aa9e30b5b4af5dd504801689d6d84c584290a45
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.15.174 with commit e8823e6ff313465910edea07581627d85e68d9fd
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.1.120 with commit 3fc0996d2fefe61219375fd650601724b8cf2d30
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.6.64 with commit 804b96f8d0a02fa10b92f28b2e042f9128ed3ffc
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.11.11 with commit 217bdce88b104269b73603b84d0ab4dd04f481bc
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.12.2 with commit 2f977a4c82d35d063f5fe198bbc501c4b1c5ea0e
 	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.13 with commit afc545da381ba0c651b2658966ac737032676f01

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53198
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/xen/xenbus/xenbus_probe.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/87106169b4ce26f85561f953d13d1fd86d99b612
 	https://git.kernel.org/stable/c/0aa9e30b5b4af5dd504801689d6d84c584290a45
 	https://git.kernel.org/stable/c/e8823e6ff313465910edea07581627d85e68d9fd
 	https://git.kernel.org/stable/c/3fc0996d2fefe61219375fd650601724b8cf2d30
 	https://git.kernel.org/stable/c/804b96f8d0a02fa10b92f28b2e042f9128ed3ffc
 	https://git.kernel.org/stable/c/217bdce88b104269b73603b84d0ab4dd04f481bc
 	https://git.kernel.org/stable/c/2f977a4c82d35d063f5fe198bbc501c4b1c5ea0e
 	https://git.kernel.org/stable/c/afc545da381ba0c651b2658966ac737032676f01
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53198: xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

	This patch fixes an issue in the function xenbus_dev_probe(). In the
	xenbus_dev_probe() function, within the if (err) branch at line 313, the
	program incorrectly returns err directly without releasing the resources
	allocated by err = drv->probe(dev, id). As the return value is non-zero,
	the upper layers assume the processing logic has failed. However, the probe
	operation was performed earlier without a corresponding remove operation.
	Since the probe actually allocates resources, failing to perform the remove
	operation could lead to problems.

	To fix this issue, we followed the resource release logic of the
	xenbus_dev_remove() function by adding a new block fail_remove before the
	fail_put block. After entering the branch if (err) at line 313, the
	function will use a goto statement to jump to the fail_remove block,
	ensuring that the previously acquired resources are correctly released,
	thus preventing the reference count leak.

	This bug was identified by an experimental static analysis tool developed
	by our team. The tool specializes in analyzing reference count operations
	and detecting potential issues where resources are not properly managed.
	In this case, the tool flagged the missing release operation as a
	potential problem, which led to the development of this patch.

	The Linux kernel CVE team has assigned CVE-2024-53198 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.4.287 with commit 87106169b4ce26f85561f953d13d1fd86d99b612
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.10.231 with commit 0aa9e30b5b4af5dd504801689d6d84c584290a45
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 5.15.174 with commit e8823e6ff313465910edea07581627d85e68d9fd
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.1.120 with commit 3fc0996d2fefe61219375fd650601724b8cf2d30
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.6.64 with commit 804b96f8d0a02fa10b92f28b2e042f9128ed3ffc
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.11.11 with commit 217bdce88b104269b73603b84d0ab4dd04f481bc
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.12.2 with commit 2f977a4c82d35d063f5fe198bbc501c4b1c5ea0e
	Issue introduced in 2.6.23 with commit 4bac07c993d03434ea902d3d4290d9e45944b66c and fixed in 6.13 with commit afc545da381ba0c651b2658966ac737032676f01

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53198
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/xen/xenbus/xenbus_probe.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/87106169b4ce26f85561f953d13d1fd86d99b612
	https://git.kernel.org/stable/c/0aa9e30b5b4af5dd504801689d6d84c584290a45
	https://git.kernel.org/stable/c/e8823e6ff313465910edea07581627d85e68d9fd
	https://git.kernel.org/stable/c/3fc0996d2fefe61219375fd650601724b8cf2d30
	https://git.kernel.org/stable/c/804b96f8d0a02fa10b92f28b2e042f9128ed3ffc
	https://git.kernel.org/stable/c/217bdce88b104269b73603b84d0ab4dd04f481bc
	https://git.kernel.org/stable/c/2f977a4c82d35d063f5fe198bbc501c4b1c5ea0e
	https://git.kernel.org/stable/c/afc545da381ba0c651b2658966ac737032676f01