lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024051737-CVE-2024-35797-06f6@gregkh>
Date: Fri, 17 May 2024 15:23:37 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-35797: mm: cachestat: fix two shmem bugs

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

mm: cachestat: fix two shmem bugs

When cachestat on shmem races with swapping and invalidation, there
are two possible bugs:

1) A swapin error can have resulted in a poisoned swap entry in the
   shmem inode's xarray. Calling get_shadow_from_swap_cache() on it
   will result in an out-of-bounds access to swapper_spaces[].

   Validate the entry with non_swap_entry() before going further.

2) When we find a valid swap entry in the shmem's inode, the shadow
   entry in the swapcache might not exist yet: swap IO is still in
   progress and we're before __remove_mapping; swapin, invalidation,
   or swapoff have removed the shadow from swapcache after we saw the
   shmem swap entry.

   This will send a NULL to workingset_test_recent(). The latter
   purely operates on pointer bits, so it won't crash - node 0, memcg
   ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a
   bogus test. In theory that could result in a false "recently
   evicted" count.

   Such a false positive wouldn't be the end of the world. But for
   code clarity and (future) robustness, be explicit about this case.

   Bail on get_shadow_from_swap_cache() returning NULL.

The Linux kernel CVE team has assigned CVE-2024-35797 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.6.24 with commit b79f9e1ff27c
	Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.7.12 with commit d962f6c58345
	Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.8.3 with commit 24a0e73d5444
	Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.9 with commit d5d39c707a4c

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35797
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	mm/filemap.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b79f9e1ff27c994a4c452235ba09e672ec698e23
	https://git.kernel.org/stable/c/d962f6c583458037dc7e529659b2b02b9dd3d94b
	https://git.kernel.org/stable/c/24a0e73d544439bb9329fbbafac44299e548a677
	https://git.kernel.org/stable/c/d5d39c707a4cf0bcc84680178677b97aa2cb2627

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ