lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024111939-CVE-2024-50279-d3f9@gregkh>
Date: Tue, 19 Nov 2024 02:32:34 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm-cache checks the dirty bits of the cache blocks to be dropped when
shrinking the fast device, but an index bug in bitset iteration causes
out-of-bounds access.

Reproduce steps:

1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
   access to the dirty bitset (offset 0x80)

dmsetup suspend cache
dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
  Read of size 8 at addr ffffc900000f3080 by task dmsetup/131

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc900000f3000, ffffc900000f5000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                     ^
   ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by making the index post-incremented.

The Linux kernel CVE team has assigned CVE-2024-50279 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 4.19.324 with commit 4fa4feb873ce
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.4.286 with commit 8501e38dc9e0
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.10.230 with commit ee1f74925717
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 5.15.172 with commit ff1dd8a04c30
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.1.117 with commit 56507203e1b6
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.6.61 with commit e57648ce325f
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.11.8 with commit 3b02c40ff10f
	Issue introduced in 3.13 with commit f494a9c6b1b6 and fixed in 6.12 with commit 792227719725

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50279
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-cache-target.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4fa4feb873cea0e9d6ff883b37cca6f33169d8b4
	https://git.kernel.org/stable/c/8501e38dc9e0060814c4085815fc83da3e6d43bf
	https://git.kernel.org/stable/c/ee1f74925717ab36f6a091104c170639501ce818
	https://git.kernel.org/stable/c/ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f
	https://git.kernel.org/stable/c/56507203e1b6127967ec2b51fb0b23a0d4af1334
	https://git.kernel.org/stable/c/e57648ce325fa405fe6bbd0e6a618ced7c301a2d
	https://git.kernel.org/stable/c/3b02c40ff10fdf83cc545850db208de855ebe22c
	https://git.kernel.org/stable/c/792227719725497ce10a8039803bec13f89f8910

Powered by blists - more mailing lists