| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-57885: mm/kmemleak: fix sleeping function called from invalid context at print message |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mm/kmemleak: fix sleeping function called from invalid context at print message |
| |
| Address a bug in the kernel that triggers a "sleeping function called from |
| invalid context" warning when /sys/kernel/debug/kmemleak is printed under |
| specific conditions: |
| - CONFIG_PREEMPT_RT=y |
| - Set SELinux as the LSM for the system |
| - Set kptr_restrict to 1 |
| - kmemleak buffer contains at least one item |
| |
| BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 |
| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat |
| preempt_count: 1, expected: 0 |
| RCU nest depth: 2, expected: 2 |
| 6 locks held by cat/136: |
| #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30 |
| #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128 |
| #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0 |
| #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0 |
| #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0 |
| irq event stamp: 136660 |
| hardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8 |
| hardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0 |
| softirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8 |
| softirqs last disabled at (0): [<0000000000000000>] 0x0 |
| Preemption disabled at: |
| [<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0 |
| CPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34 |
| Tainted: [E]=UNSIGNED_MODULE |
| Hardware name: linux,dummy-virt (DT) |
| Call trace: |
| dump_backtrace+0xa0/0x128 |
| show_stack+0x1c/0x30 |
| dump_stack_lvl+0xe8/0x198 |
| dump_stack+0x18/0x20 |
| rt_spin_lock+0x8c/0x1a8 |
| avc_perm_nonode+0xa0/0x150 |
| cred_has_capability.isra.0+0x118/0x218 |
| selinux_capable+0x50/0x80 |
| security_capable+0x7c/0xd0 |
| has_ns_capability_noaudit+0x94/0x1b0 |
| has_capability_noaudit+0x20/0x30 |
| restricted_pointer+0x21c/0x4b0 |
| pointer+0x298/0x760 |
| vsnprintf+0x330/0xf70 |
| seq_printf+0x178/0x218 |
| print_unreferenced+0x1a4/0x2d0 |
| kmemleak_seq_show+0xd0/0x1e0 |
| seq_read_iter+0x354/0xe30 |
| seq_read+0x250/0x378 |
| full_proxy_read+0xd8/0x148 |
| vfs_read+0x190/0x918 |
| ksys_read+0xf0/0x1e0 |
| __arm64_sys_read+0x70/0xa8 |
| invoke_syscall.constprop.0+0xd4/0x1d8 |
| el0_svc+0x50/0x158 |
| el0t_64_sync+0x17c/0x180 |
| |
| %pS and %pK, in the same back trace line, are redundant, and %pS can void |
| %pK service in certain contexts. |
| |
| %pS alone already provides the necessary information, and if it cannot |
| resolve the symbol, it falls back to printing the raw address voiding |
| the original intent behind the %pK. |
| |
| Additionally, %pK requires a privilege check CAP_SYSLOG enforced through |
| the LSM, which can trigger a "sleeping function called from invalid |
| context" warning under RT_PREEMPT kernels when the check occurs in an |
| atomic context. This issue may also affect other LSMs. |
| |
| This change avoids the unnecessary privilege check and resolves the |
| sleeping function warning without any loss of information. |
| |
| The Linux kernel CVE team has assigned CVE-2024-57885 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.2 with commit 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 and fixed in 6.6.70 with commit 86d946f3f9992aaa12abcfd09f925446c2cd42a2 |
| Issue introduced in 6.2 with commit 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 and fixed in 6.12.9 with commit 64b2d32f22597b2a1dc83ac600b2426588851a97 |
| Issue introduced in 6.2 with commit 3a6f33d86baa8103c80f62edd9393e9f7bf25d72 and fixed in 6.13 with commit cddc76b165161a02ff14c4d84d0f5266d9d32b9e |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-57885 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| mm/kmemleak.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/86d946f3f9992aaa12abcfd09f925446c2cd42a2 |
| https://git.kernel.org/stable/c/64b2d32f22597b2a1dc83ac600b2426588851a97 |
| https://git.kernel.org/stable/c/cddc76b165161a02ff14c4d84d0f5266d9d32b9e |
