lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024061956-CVE-2024-38598-8629@gregkh>
Date: Wed, 19 Jun 2024 15:46:04 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-38598: md: fix resync softlockup when bitmap size is less than array size

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

md: fix resync softlockup when bitmap size is less than array size

Is is reported that for dm-raid10, lvextend + lvchange --syncaction will
trigger following softlockup:

kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]
CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1
RIP: 0010:_raw_spin_unlock_irq+0x13/0x30
Call Trace:
 <TASK>
 md_bitmap_start_sync+0x6b/0xf0
 raid10_sync_request+0x25c/0x1b40 [raid10]
 md_do_sync+0x64b/0x1020
 md_thread+0xa7/0x170
 kthread+0xcf/0x100
 ret_from_fork+0x30/0x50
 ret_from_fork_asm+0x1a/0x30

And the detailed process is as follows:

md_do_sync
 j = mddev->resync_min
 while (j < max_sectors)
  sectors = raid10_sync_request(mddev, j, &skipped)
   if (!md_bitmap_start_sync(..., &sync_blocks))
    // md_bitmap_start_sync set sync_blocks to 0
    return sync_blocks + sectors_skippe;
  // sectors = 0;
  j += sectors;
  // j never change

Root cause is that commit 301867b1c168 ("md/raid10: check
slab-out-of-bounds in md_bitmap_get_counter") return early from
md_bitmap_get_counter(), without setting returned blocks.

Fix this problem by always set returned blocks from
md_bitmap_get_counter"(), as it used to be.

Noted that this patch just fix the softlockup problem in kernel, the
case that bitmap size doesn't match array size still need to be fixed.

The Linux kernel CVE team has assigned CVE-2024-38598 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.19.291 with commit 374fb914304d and fixed in 4.19.316 with commit d4b9c764d48f
	Issue introduced in 5.4.251 with commit b0b971fe7d61 and fixed in 5.4.278 with commit 43771597feba
	Issue introduced in 5.10.188 with commit 39fa14e824ac and fixed in 5.10.219 with commit 3f5b73ef8fd6
	Issue introduced in 5.15.121 with commit a134dd582c0d and fixed in 5.15.161 with commit 69296914bfd5
	Issue introduced in 6.1.39 with commit be1a3ec63a84 and fixed in 6.1.93 with commit 71e8e4f288e7
	Issue introduced in 6.5 with commit 301867b1c168 and fixed in 6.6.33 with commit c9566b812c8f
	Issue introduced in 6.5 with commit 301867b1c168 and fixed in 6.8.12 with commit 5817f43ae1a1
	Issue introduced in 6.5 with commit 301867b1c168 and fixed in 6.9.3 with commit 8bbc71315e0a
	Issue introduced in 6.5 with commit 301867b1c168 and fixed in 6.10-rc1 with commit f0e729af2eb6
	Issue introduced in 6.3.13 with commit 152bb26796ff
	Issue introduced in 6.4.4 with commit bea301c04611

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38598
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/md-bitmap.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798
	https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce
	https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3
	https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492
	https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f
	https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1
	https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482
	https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b
	https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ