| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024062136-CVE-2024-36489-7213@gregkh>
Date: Fri, 21 Jun 2024 12:19:40 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-36489: tls: fix missing memory barrier in tls_init
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tls: fix missing memory barrier in tls_init
In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.
CPU0 CPU1
----- -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)
// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots) -(2)
// In sock_common_setsockopt()
READ_ONCE(sk->sk_prot)->setsockopt()
// In tls_{setsockopt,getsockopt}()
ctx->sk_proto->setsockopt() -(3)
In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.
To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.
The Linux kernel CVE team has assigned CVE-2024-36489 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 5.10.219 with commit d72e126e9a36
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 5.15.161 with commit 2c260a24cf1c
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 6.1.93 with commit 335c8f1566d8
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 6.6.33 with commit ab67c2fd3d07
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 6.9.4 with commit ef21007a7b58
Issue introduced in 5.7 with commit d5bee7374b68 and fixed in 6.10-rc1 with commit 91e61dd7a0af
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-36489
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/tls/tls_main.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071
https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b
https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b
https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c
https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b
https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302
Powered by blists - more mailing lists