cve/published/2024/CVE-2024-57948.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57948: mac802154: check local interfaces before deleting sdata list

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mac802154: check local interfaces before deleting sdata list

 syzkaller reported a corrupted list in ieee802154_if_remove. [1]

 Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
 hardware device from the system.

 CPU0					CPU1
 ====					====
 genl_family_rcv_msg_doit		ieee802154_unregister_hw
 ieee802154_del_iface			ieee802154_remove_interfaces
 rdev_del_virtual_intf_deprecated	list_del(&sdata->list)
 ieee802154_if_remove
 list_del_rcu

 The net device has been unregistered, since the rcu grace period,
 unregistration must be run before ieee802154_if_remove.

 To avoid this issue, add a check for local->interfaces before deleting
 sdata list.

 [1]
 kernel BUG at lib/list_debug.c:58!
 Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
 CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
 R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
 FS:  0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  __list_del_entry_valid include/linux/list.h:124 [inline]
  __list_del_entry include/linux/list.h:215 [inline]
  list_del_rcu include/linux/rculist.h:157 [inline]
  ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
  rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
  ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
  genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
  genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
  genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
  genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
  netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
  netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x221/0x270 net/socket.c:744
  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
  ___sys_sendmsg net/socket.c:2661 [inline]
  __sys_sendmsg+0x292/0x380 net/socket.c:2690
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2024-57948 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.290 with commit 0d11dc30edfc4acef0acef130bb5ca596317190a
 	Fixed in 5.10.234 with commit 98ea165a2ac240345c48b57c0a3d08bbcad02929
 	Fixed in 5.15.177 with commit 80aee0bc0dbe253b6692d33e64455dc742fc52f1
 	Fixed in 6.1.127 with commit 41e4ca8acba39f1cecff2dfdf14ace4ee52c4272
 	Fixed in 6.6.74 with commit 2e41e98c4e79edae338f2662dbdf74ac2245d183
 	Fixed in 6.12.11 with commit b856d2c1384bc5a7456262afd21aa439ee5cdf6e
 	Fixed in 6.13 with commit eb09fbeb48709fe66c0d708aed81e910a577a30a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57948
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac802154/iface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0d11dc30edfc4acef0acef130bb5ca596317190a
 	https://git.kernel.org/stable/c/98ea165a2ac240345c48b57c0a3d08bbcad02929
 	https://git.kernel.org/stable/c/80aee0bc0dbe253b6692d33e64455dc742fc52f1
 	https://git.kernel.org/stable/c/41e4ca8acba39f1cecff2dfdf14ace4ee52c4272
 	https://git.kernel.org/stable/c/2e41e98c4e79edae338f2662dbdf74ac2245d183
 	https://git.kernel.org/stable/c/b856d2c1384bc5a7456262afd21aa439ee5cdf6e
 	https://git.kernel.org/stable/c/eb09fbeb48709fe66c0d708aed81e910a577a30a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57948: mac802154: check local interfaces before deleting sdata list

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mac802154: check local interfaces before deleting sdata list

	syzkaller reported a corrupted list in ieee802154_if_remove. [1]

	Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4
	hardware device from the system.

	CPU0 CPU1
	==== ====
	genl_family_rcv_msg_doit ieee802154_unregister_hw
	ieee802154_del_iface ieee802154_remove_interfaces
	rdev_del_virtual_intf_deprecated list_del(&sdata->list)
	ieee802154_if_remove
	list_del_rcu

	The net device has been unregistered, since the rcu grace period,
	unregistration must be run before ieee802154_if_remove.

	To avoid this issue, add a check for local->interfaces before deleting
	sdata list.

	[1]
	kernel BUG at lib/list_debug.c:58!
	Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
	CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
	RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56
	Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7
	RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246
	RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00
	RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
	RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d
	R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000
	R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0
	FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	<TASK>
	__list_del_entry_valid include/linux/list.h:124 [inline]
	__list_del_entry include/linux/list.h:215 [inline]
	list_del_rcu include/linux/rculist.h:157 [inline]
	ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687
	rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]
	ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323
	genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
	genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
	genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210
	netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551
	genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
	netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
	netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
	netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
	sock_sendmsg_nosec net/socket.c:729 [inline]
	__sock_sendmsg+0x221/0x270 net/socket.c:744
	____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607
	___sys_sendmsg net/socket.c:2661 [inline]
	__sys_sendmsg+0x292/0x380 net/socket.c:2690
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2024-57948 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.290 with commit 0d11dc30edfc4acef0acef130bb5ca596317190a
	Fixed in 5.10.234 with commit 98ea165a2ac240345c48b57c0a3d08bbcad02929
	Fixed in 5.15.177 with commit 80aee0bc0dbe253b6692d33e64455dc742fc52f1
	Fixed in 6.1.127 with commit 41e4ca8acba39f1cecff2dfdf14ace4ee52c4272
	Fixed in 6.6.74 with commit 2e41e98c4e79edae338f2662dbdf74ac2245d183
	Fixed in 6.12.11 with commit b856d2c1384bc5a7456262afd21aa439ee5cdf6e
	Fixed in 6.13 with commit eb09fbeb48709fe66c0d708aed81e910a577a30a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57948
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac802154/iface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0d11dc30edfc4acef0acef130bb5ca596317190a
	https://git.kernel.org/stable/c/98ea165a2ac240345c48b57c0a3d08bbcad02929
	https://git.kernel.org/stable/c/80aee0bc0dbe253b6692d33e64455dc742fc52f1
	https://git.kernel.org/stable/c/41e4ca8acba39f1cecff2dfdf14ace4ee52c4272
	https://git.kernel.org/stable/c/2e41e98c4e79edae338f2662dbdf74ac2245d183
	https://git.kernel.org/stable/c/b856d2c1384bc5a7456262afd21aa439ee5cdf6e
	https://git.kernel.org/stable/c/eb09fbeb48709fe66c0d708aed81e910a577a30a