| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024051737-CVE-2024-35797-06f6@gregkh> Date: Fri, 17 May 2024 15:23:37 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-35797: mm: cachestat: fix two shmem bugs Description =========== In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix two shmem bugs When cachestat on shmem races with swapping and invalidation, there are two possible bugs: 1) A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling get_shadow_from_swap_cache() on it will result in an out-of-bounds access to swapper_spaces[]. Validate the entry with non_swap_entry() before going further. 2) When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before __remove_mapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry. This will send a NULL to workingset_test_recent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count. Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case. Bail on get_shadow_from_swap_cache() returning NULL. The Linux kernel CVE team has assigned CVE-2024-35797 to this issue. Affected and fixed versions =========================== Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.6.24 with commit b79f9e1ff27c Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.7.12 with commit d962f6c58345 Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.8.3 with commit 24a0e73d5444 Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.9 with commit d5d39c707a4c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-35797 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: mm/filemap.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b79f9e1ff27c994a4c452235ba09e672ec698e23 https://git.kernel.org/stable/c/d962f6c583458037dc7e529659b2b02b9dd3d94b https://git.kernel.org/stable/c/24a0e73d544439bb9329fbbafac44299e548a677 https://git.kernel.org/stable/c/d5d39c707a4cf0bcc84680178677b97aa2cb2627
Powered by blists - more mailing lists