lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024102136-CVE-2024-49982-c6b7@gregkh>
Date: Mon, 21 Oct 2024 20:03:10 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-49982: aoe: fix the potential use-after-free problem in more places

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in more places

For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.

Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.

On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

The Linux kernel CVE team has assigned CVE-2024-49982 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.10.214 with commit faf0b4c5e00b and fixed in 5.10.227 with commit f63461af2c1a
	Issue introduced in 5.15.153 with commit 7dd09fa80b07 and fixed in 5.15.168 with commit 07b418d50ccb
	Issue introduced in 6.1.83 with commit 74ca3ef68d2f and fixed in 6.1.113 with commit bc2cbf7525ac
	Issue introduced in 6.6.23 with commit eb48680b0255 and fixed in 6.6.55 with commit acc5103a0a8c
	Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.10.14 with commit 89d9a69ae0c6
	Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.11.3 with commit 8253a60c89ec
	Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.12-rc2 with commit 6d6e54fc71ad
	Issue introduced in 4.19.311 with commit ad80c34944d7
	Issue introduced in 5.4.273 with commit 1a54aa506b3b
	Issue introduced in 6.7.11 with commit 079cba4f4e30
	Issue introduced in 6.8.2 with commit a16fbb800646

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49982
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/block/aoe/aoecmd.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
	https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
	https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
	https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
	https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
	https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
	https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ