[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024102136-CVE-2024-49982-c6b7@gregkh>
Date: Mon, 21 Oct 2024 20:03:10 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-49982: aoe: fix the potential use-after-free problem in more places
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
aoe: fix the potential use-after-free problem in more places
For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.
Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.
On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
The Linux kernel CVE team has assigned CVE-2024-49982 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10.214 with commit faf0b4c5e00b and fixed in 5.10.227 with commit f63461af2c1a
Issue introduced in 5.15.153 with commit 7dd09fa80b07 and fixed in 5.15.168 with commit 07b418d50ccb
Issue introduced in 6.1.83 with commit 74ca3ef68d2f and fixed in 6.1.113 with commit bc2cbf7525ac
Issue introduced in 6.6.23 with commit eb48680b0255 and fixed in 6.6.55 with commit acc5103a0a8c
Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.10.14 with commit 89d9a69ae0c6
Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.11.3 with commit 8253a60c89ec
Issue introduced in 6.9 with commit f98364e92662 and fixed in 6.12-rc2 with commit 6d6e54fc71ad
Issue introduced in 4.19.311 with commit ad80c34944d7
Issue introduced in 5.4.273 with commit 1a54aa506b3b
Issue introduced in 6.7.11 with commit 079cba4f4e30
Issue introduced in 6.8.2 with commit a16fbb800646
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-49982
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/block/aoe/aoecmd.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645
https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79
https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254
https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3
https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f
https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58
https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3
Powered by blists - more mailing lists