cve/published/2024/CVE-2024-56631.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56631: scsi: sg: Fix slab-use-after-free read in sg_release()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: sg: Fix slab-use-after-free read in sg_release()

 Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:

 BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
 kernel/locking/lockdep.c:5838
 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407

 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
 called before releasing the open_rel_lock mutex. The kref_put() call may
 decrement the reference count of sfp to zero, triggering its cleanup
 through sg_remove_sfp(). This cleanup includes scheduling deferred work
 via sg_remove_sfp_usercontext(), which ultimately frees sfp.

 After kref_put(), sg_release() continues to unlock open_rel_lock and may
 reference sfp or sdp. If sfp has already been freed, this results in a
 slab-use-after-free error.

 Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
 open_rel_lock mutex. This ensures:

  - No references to sfp or sdp occur after the reference count is
    decremented.

  - Cleanup functions such as sg_remove_sfp() and
    sg_remove_sfp_usercontext() can safely execute without impacting the
    mutex handling in sg_release().

 The fix has been tested and validated by syzbot. This patch closes the
 bug reported at the following syzkaller link and ensures proper
 sequencing of resource cleanup and mutex operations, eliminating the
 risk of use-after-free errors in sg_release().

 The Linux kernel CVE team has assigned CVE-2024-56631 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.4.290 with commit e19acb1926c4a1f30ee1ec84d8afba2d975bd534
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.10.234 with commit 285ce1f89f8d414e7eecab5ef5118cd512596318
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.15.177 with commit 198b89dd5a595ee3f96e5ce5c448b0484cd0e53c
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.1.127 with commit 275b8347e21ab8193e93223a8394a806e4ba8918
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.6.66 with commit 59b30afa578637169e2819536bb66459fdddc39d
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.12.5 with commit 1f5e2f1ca5875728fcf62bc1a054707444ab4960
 	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.13 with commit f10593ad9bc36921f623361c9e3dd96bd52d85ee
 	Issue introduced in 3.16.85 with commit 3a27c0defb0315760100f8b1adc7c4acbe04c884

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56631
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/sg.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e19acb1926c4a1f30ee1ec84d8afba2d975bd534
 	https://git.kernel.org/stable/c/285ce1f89f8d414e7eecab5ef5118cd512596318
 	https://git.kernel.org/stable/c/198b89dd5a595ee3f96e5ce5c448b0484cd0e53c
 	https://git.kernel.org/stable/c/275b8347e21ab8193e93223a8394a806e4ba8918
 	https://git.kernel.org/stable/c/59b30afa578637169e2819536bb66459fdddc39d
 	https://git.kernel.org/stable/c/1f5e2f1ca5875728fcf62bc1a054707444ab4960
 	https://git.kernel.org/stable/c/f10593ad9bc36921f623361c9e3dd96bd52d85ee
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56631: scsi: sg: Fix slab-use-after-free read in sg_release()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: sg: Fix slab-use-after-free read in sg_release()

	Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:

	BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
	kernel/locking/lockdep.c:5838
	__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
	sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407

	In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
	called before releasing the open_rel_lock mutex. The kref_put() call may
	decrement the reference count of sfp to zero, triggering its cleanup
	through sg_remove_sfp(). This cleanup includes scheduling deferred work
	via sg_remove_sfp_usercontext(), which ultimately frees sfp.

	After kref_put(), sg_release() continues to unlock open_rel_lock and may
	reference sfp or sdp. If sfp has already been freed, this results in a
	slab-use-after-free error.

	Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
	open_rel_lock mutex. This ensures:

	- No references to sfp or sdp occur after the reference count is
	decremented.

	- Cleanup functions such as sg_remove_sfp() and
	sg_remove_sfp_usercontext() can safely execute without impacting the
	mutex handling in sg_release().

	The fix has been tested and validated by syzbot. This patch closes the
	bug reported at the following syzkaller link and ensures proper
	sequencing of resource cleanup and mutex operations, eliminating the
	risk of use-after-free errors in sg_release().

	The Linux kernel CVE team has assigned CVE-2024-56631 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.4.290 with commit e19acb1926c4a1f30ee1ec84d8afba2d975bd534
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.10.234 with commit 285ce1f89f8d414e7eecab5ef5118cd512596318
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 5.15.177 with commit 198b89dd5a595ee3f96e5ce5c448b0484cd0e53c
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.1.127 with commit 275b8347e21ab8193e93223a8394a806e4ba8918
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.6.66 with commit 59b30afa578637169e2819536bb66459fdddc39d
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.12.5 with commit 1f5e2f1ca5875728fcf62bc1a054707444ab4960
	Issue introduced in 3.17 with commit cc833acbee9db5ca8c6162b015b4c93863c6f821 and fixed in 6.13 with commit f10593ad9bc36921f623361c9e3dd96bd52d85ee
	Issue introduced in 3.16.85 with commit 3a27c0defb0315760100f8b1adc7c4acbe04c884

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56631
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/sg.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e19acb1926c4a1f30ee1ec84d8afba2d975bd534
	https://git.kernel.org/stable/c/285ce1f89f8d414e7eecab5ef5118cd512596318
	https://git.kernel.org/stable/c/198b89dd5a595ee3f96e5ce5c448b0484cd0e53c
	https://git.kernel.org/stable/c/275b8347e21ab8193e93223a8394a806e4ba8918
	https://git.kernel.org/stable/c/59b30afa578637169e2819536bb66459fdddc39d
	https://git.kernel.org/stable/c/1f5e2f1ca5875728fcf62bc1a054707444ab4960
	https://git.kernel.org/stable/c/f10593ad9bc36921f623361c9e3dd96bd52d85ee