CVE-2024-56368

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Fix overflow in _rbmap_vma

An overflow occurred when performing the following calculation:

nrpages = ((nrsubbufs + 1) << subbuf_order) - pgoff;

Add a check before the calculation to avoid this problem.

syzbot reported this as a slab-out-of-bounds in _rbmap_vma:

BUG: KASAN: slab-out-of-bounds in _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836

CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xc3/0x620 mm/kasan/report.c:489 kasanreport+0xd9/0x110 mm/kasan/report.c:602 _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 ringbuffermap+0x56e/0x9b0 kernel/trace/ringbuffer.c:7138 tracingbuffersmmap+0xa6/0x120 kernel/trace/trace.c:8482 callmmap include/linux/fs.h:2183 [inline] mmapfile mm/internal.h:124 [inline] _mmapnewfilevma mm/vma.c:2291 [inline] _mmapnewvma mm/vma.c:2355 [inline] _mmapregion+0x1786/0x2670 mm/vma.c:2456 mmapregion+0x127/0x320 mm/mmap.c:1348 dommap+0xc00/0xfc0 mm/mmap.c:496 vmmmappgoff+0x1ba/0x360 mm/util.c:580 ksysmmappgoff+0x32c/0x5c0 mm/mmap.c:542 _dosysmmap arch/x86/kernel/sysx8664.c:89 [inline] _sesysmmap arch/x86/kernel/sysx8664.c:82 [inline] _x64sysmmap+0x125/0x190 arch/x86/kernel/sysx8664.c:82 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

The reproducer for this bug is:

------------------------8<------------------------- #include <fcntl.h> #include <stdlib.h> #include <unistd.h> #include <asm/types.h> #include <sys/mman.h>

int main(int argc, char **argv) { int page_size = getpagesize(); int fd; void *meta;

system("echo 1 > /sys/kernel/tracing/buffer_size_kb");
fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);

meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);

} ------------------------>8-------------------------