| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011532-CVE-2024-54031-f640@gregkh> Date: Wed, 15 Jan 2025 14:10:35 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-54031: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64. The Linux kernel CVE team has assigned CVE-2024-54031 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4.287 with commit 98d62cf0e26305dd6a1932a4054004290f4194bb and fixed in 5.4.289 with commit 352f8eaaabd008f09d1e176194edc261a7304084 Issue introduced in 5.10.231 with commit e21855091f11df80d41239dbc5f8545b772c657d and fixed in 5.10.233 with commit 6a14b46052eeb83175a95baf399283860b9d94c4 Issue introduced in 5.15.174 with commit 59a59da8de47848575eedc141a74aae57696706d and fixed in 5.15.176 with commit 277f00b0c2dca8794cf4837722960bdc4174911f Issue introduced in 6.1.120 with commit 23a6919bb3ecf6787f060476ee6810ad55ebf9c8 and fixed in 6.1.124 with commit 607774a13764676d4b8be9c8b9c66b8cf3469043 Issue introduced in 6.6.66 with commit 86c27603514cb8ead29857365cdd145404ee9706 and fixed in 6.6.70 with commit 4f49349c1963e507aa37c1ec05178faeb0103959 Issue introduced in 6.12.5 with commit be4d0ac67d92e6a285cd3eeb672188d249c121b2 and fixed in 6.12.9 with commit d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0 Issue introduced in 6.13-rc2 with commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5 and fixed in 6.13-rc6 with commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-54031 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/netfilter/nf_tables.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/352f8eaaabd008f09d1e176194edc261a7304084 https://git.kernel.org/stable/c/6a14b46052eeb83175a95baf399283860b9d94c4 https://git.kernel.org/stable/c/277f00b0c2dca8794cf4837722960bdc4174911f https://git.kernel.org/stable/c/607774a13764676d4b8be9c8b9c66b8cf3469043 https://git.kernel.org/stable/c/4f49349c1963e507aa37c1ec05178faeb0103959 https://git.kernel.org/stable/c/d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0 https://git.kernel.org/stable/c/542ed8145e6f9392e3d0a86a0e9027d2ffd183e4
Powered by blists - more mailing lists