cve/published/2024/CVE-2024-57795.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57795: RDMA/rxe: Remove the direct link to net_device

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/rxe: Remove the direct link to net_device

 The similar patch in siw is in the link:
 https://git.kernel.org/rdma/rdma/c/16b87037b48889

 This problem also occurred in RXE. The following analyze this problem.
 In the following Call Traces:
 "
 BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295

 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0
 Hardware name: Google Compute Engine/Google Compute Engine,
 BIOS Google 09/13/2024
 Workqueue: infiniband ib_cache_event_task
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0x169/0x550 mm/kasan/report.c:488
  kasan_report+0x143/0x180 mm/kasan/report.c:601
  dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
  rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60
  __ib_query_port drivers/infiniband/core/device.c:2111 [inline]
  ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143
  ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494
  ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568
  process_one_work kernel/workqueue.c:3229 [inline]
  process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
  worker_thread+0x870/0xd30 kernel/workqueue.c:3391
  kthread+0x2f2/0x390 kernel/kthread.c:389
  ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
  </TASK>
 "

 1). In the link [1],

 "
  infiniband syz2: set down
 "

 This means that on 839.350575, the event ib_cache_event_task was sent andi
 queued in ib_wq.

 2). In the link [1],

 "
  team0 (unregistering): Port device team_slave_0 removed
 "

 It indicates that before 843.251853, the net device should be freed.

 3). In the link [1],

 "
  BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0
 "

 This means that on 850.559070, this slab-use-after-free problem occurred.

 In all, on 839.350575, the event ib_cache_event_task was sent and queued
 in ib_wq,

 before 843.251853, the net device veth was freed.

 on 850.559070, this event was executed, and the mentioned freed net device
 was called. Thus, the above call trace occurred.

 [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000

 The Linux kernel CVE team has assigned CVE-2024-57795 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.12.9 with commit 9f6f54e6a6863131442b40e14d1792b090c7ce21
 	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.13 with commit 2ac5415022d16d63d912a39a06f32f1f51140261

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57795
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/sw/rxe/rxe.c
 	drivers/infiniband/sw/rxe/rxe.h
 	drivers/infiniband/sw/rxe/rxe_mcast.c
 	drivers/infiniband/sw/rxe/rxe_net.c
 	drivers/infiniband/sw/rxe/rxe_verbs.c
 	drivers/infiniband/sw/rxe/rxe_verbs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21
 	https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57795: RDMA/rxe: Remove the direct link to net_device

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/rxe: Remove the direct link to net_device

	The similar patch in siw is in the link:
	https://git.kernel.org/rdma/rdma/c/16b87037b48889

	This problem also occurred in RXE. The following analyze this problem.
	In the following Call Traces:
	"
	BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
	Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295

	CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
	6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0
	Hardware name: Google Compute Engine/Google Compute Engine,
	BIOS Google 09/13/2024
	Workqueue: infiniband ib_cache_event_task
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
	rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60
	__ib_query_port drivers/infiniband/core/device.c:2111 [inline]
	ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143
	ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494
	ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568
	process_one_work kernel/workqueue.c:3229 [inline]
	process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
	worker_thread+0x870/0xd30 kernel/workqueue.c:3391
	kthread+0x2f2/0x390 kernel/kthread.c:389
	ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
	</TASK>
	"

	1). In the link [1],

	"
	infiniband syz2: set down
	"

	This means that on 839.350575, the event ib_cache_event_task was sent andi
	queued in ib_wq.

	2). In the link [1],

	"
	team0 (unregistering): Port device team_slave_0 removed
	"

	It indicates that before 843.251853, the net device should be freed.

	3). In the link [1],

	"
	BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0
	"

	This means that on 850.559070, this slab-use-after-free problem occurred.

	In all, on 839.350575, the event ib_cache_event_task was sent and queued
	in ib_wq,

	before 843.251853, the net device veth was freed.

	on 850.559070, this event was executed, and the mentioned freed net device
	was called. Thus, the above call trace occurred.

	[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000

	The Linux kernel CVE team has assigned CVE-2024-57795 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.12.9 with commit 9f6f54e6a6863131442b40e14d1792b090c7ce21
	Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.13 with commit 2ac5415022d16d63d912a39a06f32f1f51140261

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57795
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/sw/rxe/rxe.c
	drivers/infiniband/sw/rxe/rxe.h
	drivers/infiniband/sw/rxe/rxe_mcast.c
	drivers/infiniband/sw/rxe/rxe_net.c
	drivers/infiniband/sw/rxe/rxe_verbs.c
	drivers/infiniband/sw/rxe/rxe_verbs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21
	https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261