| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024051952-CVE-2024-35902-a288@gregkh> Date: Sun, 19 May 2024 10:35:16 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-35902: net/rds: fix possible cp null dereference Description =========== In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis. The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL. * ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute. Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug The Linux kernel CVE team has assigned CVE-2024-35902 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19.310 with commit 786854141057 and fixed in 4.19.312 with commit d275de8ea7be Issue introduced in 5.4.272 with commit 997efea2bf3a and fixed in 5.4.274 with commit bcd46782e2ec Issue introduced in 5.10.213 with commit 9dfc15a10dfd and fixed in 5.10.215 with commit cfb786b03b03 Issue introduced in 5.15.152 with commit b562ebe21ed9 and fixed in 5.15.154 with commit d49fac38479b Issue introduced in 6.1.82 with commit 998fd719e6d6 and fixed in 6.1.85 with commit cbaac2e5488e Issue introduced in 6.6.22 with commit 2b505d052807 and fixed in 6.6.26 with commit 92309bed3c5f Issue introduced in 6.8 with commit c055fc00c07b and fixed in 6.8.5 with commit 6794090c7420 Issue introduced in 6.8 with commit c055fc00c07b and fixed in 6.9 with commit 62fc3357e079 Issue introduced in 6.7.10 with commit 907761307469 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-35902 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/rds/rdma.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9 https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14 https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029 https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196 https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b
Powered by blists - more mailing lists