lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2024111937-CVE-2024-50278-d6c9@gregkh>
Date: Tue, 19 Nov 2024 02:32:33 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-50278: dm cache: fix potential out-of-bounds access on the first resume

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix potential out-of-bounds access on the first resume

Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.

Reproduce steps:

1. prepare component devices:

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

2. load a cache table of 512 cache blocks, and deliberately expand the
   fast device before resuming the cache, making the in-core data
   structures inadequate.

dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

3. suspend the cache to write out the in-core dirty bitset and hint
   array, leading to out-of-bounds access to the dirty bitset at offset
   0x40:

dmsetup suspend cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
  Read of size 8 at addr ffffc90000085040 by task dmsetup/90

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc90000085000, ffffc90000087000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                             ^
   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by checking the size change on the first resume.

The Linux kernel CVE team has assigned CVE-2024-50278 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 4.19.324 with commit e492f71854ce
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.4.286 with commit 2222b0929d00
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.10.230 with commit 483b7261b35a
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.15.172 with commit fdef3b94dfeb
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.1.117 with commit c52ec00cb2f9
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.6.61 with commit 036dd6e3d263
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.11.8 with commit 13ed3624c6ef
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.12 with commit c0ade5d98979

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50278
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-cache-target.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d
	https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492
	https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be
	https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688
	https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb
	https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86
	https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4
	https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ