| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024091856-CVE-2024-46798-ce16@gregkh> Date: Wed, 18 Sep 2024 09:17:33 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-46798: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object Description =========== In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. The Linux kernel CVE team has assigned CVE-2024-46798 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4 with commit a72706ed8208 and fixed in 5.4.284 with commit 993b60c7f93f Issue introduced in 5.4 with commit a72706ed8208 and fixed in 5.10.226 with commit 8ca21e7a27c6 Issue introduced in 5.4 with commit a72706ed8208 and fixed in 5.15.167 with commit 3033ed903b4f Issue introduced in 5.4 with commit a72706ed8208 and fixed in 6.1.110 with commit fe5046ca91d6 Issue introduced in 5.4 with commit a72706ed8208 and fixed in 6.6.51 with commit 5d13afd021eb Issue introduced in 5.4 with commit a72706ed8208 and fixed in 6.10.10 with commit 6a14fad8be17 Issue introduced in 5.4 with commit a72706ed8208 and fixed in 6.11 with commit b4a90b543d9f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-46798 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/soc/soc-dapm.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/993b60c7f93fa1d8ff296b58f646a867e945ae89 https://git.kernel.org/stable/c/8ca21e7a27c66b95a4b215edc8e45e5d66679f9f https://git.kernel.org/stable/c/3033ed903b4f28b5e1ab66042084fbc2c48f8624 https://git.kernel.org/stable/c/fe5046ca91d631ec432eee3bdb1f1c49b09c8b5e https://git.kernel.org/stable/c/5d13afd021eb43868fe03cef6da34ad08831ad6d https://git.kernel.org/stable/c/6a14fad8be178df6c4589667efec1789a3307b4e https://git.kernel.org/stable/c/b4a90b543d9f62d3ac34ec1ab97fc5334b048565
Powered by blists - more mailing lists