cve/published/2024/CVE-2024-54031.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-54031: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

 Access to genmask field in struct nft_set_ext results in unaligned
 atomic read:

 [   72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
 [   72.131036] Mem abort info:
 [   72.131213]   ESR = 0x0000000096000021
 [   72.131446]   EC = 0x25: DABT (current EL), IL = 32 bits
 [   72.132209]   SET = 0, FnV = 0
 [   72.133216]   EA = 0, S1PTW = 0
 [   72.134080]   FSC = 0x21: alignment fault
 [   72.135593] Data abort info:
 [   72.137194]   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
 [   72.142351]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
 [   72.145989]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
 [   72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
 [   72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
 +pte=0068000102bb7707
 [   72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
 [...]
 [   72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G            E      6.13.0-rc3+ #2
 [   72.170509] Tainted: [E]=UNSIGNED_MODULE
 [   72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
 [   72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
 [   72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
 [   72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
 [   72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
 [   72.172546] sp : ffff800081f2bce0
 [   72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
 [   72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
 [   72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
 [   72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
 [   72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
 [   72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
 [   72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
 [   72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
 [   72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
 [   72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
 [   72.176207] Call trace:
 [   72.176316]  nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
 [   72.176653]  process_one_work+0x178/0x3d0
 [   72.176831]  worker_thread+0x200/0x3f0
 [   72.176995]  kthread+0xe8/0xf8
 [   72.177130]  ret_from_fork+0x10/0x20
 [   72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
 [   72.177557] ---[ end trace 0000000000000000 ]---

 Align struct nft_set_ext to word size to address this and
 documentation it.

 pahole reports that this increases the size of elements for rhash and
 pipapo in 8 bytes on x86_64.

 The Linux kernel CVE team has assigned CVE-2024-54031 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.287 with commit 98d62cf0e26305dd6a1932a4054004290f4194bb and fixed in 5.4.289 with commit 352f8eaaabd008f09d1e176194edc261a7304084
 	Issue introduced in 5.10.231 with commit e21855091f11df80d41239dbc5f8545b772c657d and fixed in 5.10.233 with commit 6a14b46052eeb83175a95baf399283860b9d94c4
 	Issue introduced in 5.15.174 with commit 59a59da8de47848575eedc141a74aae57696706d and fixed in 5.15.176 with commit 277f00b0c2dca8794cf4837722960bdc4174911f
 	Issue introduced in 6.1.120 with commit 23a6919bb3ecf6787f060476ee6810ad55ebf9c8 and fixed in 6.1.124 with commit 607774a13764676d4b8be9c8b9c66b8cf3469043
 	Issue introduced in 6.6.66 with commit 86c27603514cb8ead29857365cdd145404ee9706 and fixed in 6.6.70 with commit 4f49349c1963e507aa37c1ec05178faeb0103959
 	Issue introduced in 6.12.5 with commit be4d0ac67d92e6a285cd3eeb672188d249c121b2 and fixed in 6.12.9 with commit d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-54031
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/netfilter/nf_tables.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/352f8eaaabd008f09d1e176194edc261a7304084
 	https://git.kernel.org/stable/c/6a14b46052eeb83175a95baf399283860b9d94c4
 	https://git.kernel.org/stable/c/277f00b0c2dca8794cf4837722960bdc4174911f
 	https://git.kernel.org/stable/c/607774a13764676d4b8be9c8b9c66b8cf3469043
 	https://git.kernel.org/stable/c/4f49349c1963e507aa37c1ec05178faeb0103959
 	https://git.kernel.org/stable/c/d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0
 	https://git.kernel.org/stable/c/542ed8145e6f9392e3d0a86a0e9027d2ffd183e4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-54031: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

	Access to genmask field in struct nft_set_ext results in unaligned
	atomic read:

	[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
	[ 72.131036] Mem abort info:
	[ 72.131213] ESR = 0x0000000096000021
	[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 72.132209] SET = 0, FnV = 0
	[ 72.133216] EA = 0, S1PTW = 0
	[ 72.134080] FSC = 0x21: alignment fault
	[ 72.135593] Data abort info:
	[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
	[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
	[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
	[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
	[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
	+pte=0068000102bb7707
	[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
	[...]
	[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2
	[ 72.170509] Tainted: [E]=UNSIGNED_MODULE
	[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
	[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
	[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
	[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
	[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
	[ 72.172546] sp : ffff800081f2bce0
	[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
	[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
	[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
	[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
	[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
	[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
	[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
	[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
	[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
	[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
	[ 72.176207] Call trace:
	[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
	[ 72.176653] process_one_work+0x178/0x3d0
	[ 72.176831] worker_thread+0x200/0x3f0
	[ 72.176995] kthread+0xe8/0xf8
	[ 72.177130] ret_from_fork+0x10/0x20
	[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
	[ 72.177557] ---[ end trace 0000000000000000 ]---

	Align struct nft_set_ext to word size to address this and
	documentation it.

	pahole reports that this increases the size of elements for rhash and
	pipapo in 8 bytes on x86_64.

	The Linux kernel CVE team has assigned CVE-2024-54031 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.287 with commit 98d62cf0e26305dd6a1932a4054004290f4194bb and fixed in 5.4.289 with commit 352f8eaaabd008f09d1e176194edc261a7304084
	Issue introduced in 5.10.231 with commit e21855091f11df80d41239dbc5f8545b772c657d and fixed in 5.10.233 with commit 6a14b46052eeb83175a95baf399283860b9d94c4
	Issue introduced in 5.15.174 with commit 59a59da8de47848575eedc141a74aae57696706d and fixed in 5.15.176 with commit 277f00b0c2dca8794cf4837722960bdc4174911f
	Issue introduced in 6.1.120 with commit 23a6919bb3ecf6787f060476ee6810ad55ebf9c8 and fixed in 6.1.124 with commit 607774a13764676d4b8be9c8b9c66b8cf3469043
	Issue introduced in 6.6.66 with commit 86c27603514cb8ead29857365cdd145404ee9706 and fixed in 6.6.70 with commit 4f49349c1963e507aa37c1ec05178faeb0103959
	Issue introduced in 6.12.5 with commit be4d0ac67d92e6a285cd3eeb672188d249c121b2 and fixed in 6.12.9 with commit d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-54031
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/netfilter/nf_tables.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/352f8eaaabd008f09d1e176194edc261a7304084
	https://git.kernel.org/stable/c/6a14b46052eeb83175a95baf399283860b9d94c4
	https://git.kernel.org/stable/c/277f00b0c2dca8794cf4837722960bdc4174911f
	https://git.kernel.org/stable/c/607774a13764676d4b8be9c8b9c66b8cf3469043
	https://git.kernel.org/stable/c/4f49349c1963e507aa37c1ec05178faeb0103959
	https://git.kernel.org/stable/c/d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0
	https://git.kernel.org/stable/c/542ed8145e6f9392e3d0a86a0e9027d2ffd183e4