OESA-2024-1862

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

KVM: PPC: Fix kvmarchvcpuioctl vcpuload leak

vcpu_put is not called if the user copy fails. This can result in preempt notifier corruption and crashes, among other issues.(CVE-2021-47296)

In the Linux kernel, the following vulnerability has been resolved:

net: qcom/emac: fix UAF in emac_remove

adpt is netdev private data and it cannot be used after freenetdev() call. Using adpt after freenetdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function.(CVE-2021-47311)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Ensure rdmaaddrcancel() happens before issuing more requests

The FSM can run in a circle allowing rdmaresolveip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice.

   CPU 1                                  CPU 2

rdmaresolveaddr(): RDMACMIDLE -> RDMACMADDRQUERY rdmaresolveip(addrhandler) #1

         process_one_req(): for #1
                      addr_handler():
                        RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND
                        mutex_unlock(&id_priv->handler_mutex);
                        [.. handler still running ..]

rdmaresolveaddr(): RDMACMADDRBOUND -> RDMACMADDRQUERY rdmaresolveip(addrhandler) !! two requests are now on the reqlist

rdmadestroyid(): destroyidhandlerunlock(): _destroyid(): cmacanceloperation(): rdmaaddrcancel()

                      // process_one_req() self removes it
              spin_lock_bh(&lock);
                       cancel_delayed_work(&req->work);
                   if (!list_empty(&req->list)) == true

  ! rdma_addr_cancel() returns after process_on_req #1 is done

kfree(id_priv)

         process_one_req(): for #2
                      addr_handler():
                    mutex_lock(&id_priv->handler_mutex);
                        !! Use after free on id_priv

rdmaaddrcancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the reqlist can have two reqs for the same "handle" but rdmaaddr_cancel() only cancels the first one.

The second req remains active beyond rdmadestroyid() and will use-after-free id_priv once it inevitably triggers.

Fix this by remembering if the idpriv has called rdmaresolveip() and always cancel before calling it again. This ensures the reqlist never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.(CVE-2021-47391)

In the Linux kernel, the following vulnerability has been resolved:

schcake: do not call cakedestroy() from cake_init()

qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that.

syzbot was able to trigger use after free:

DEBUGLOCKSWARNON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 mutexlockcommon kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 _mutexlock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:mutexlockcommon kernel/locking/mutex.c:586 [inline] RIP: 0010:mutexlock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcfchain0headchangecbdel+0x2e/0x3d0 net/sched/clsapi.c:810 tcfblockputext net/sched/clsapi.c:1381 [inline] tcfblockputext net/sched/clsapi.c:1376 [inline] tcfblockput+0xbc/0x130 net/sched/clsapi.c:1394 cakedestroy+0x3f/0x80 net/sched/schcake.c:2695 qdisccreate.constprop.0+0x9da/0x10f0 net/sched/schapi.c:1293 tcmodifyqdisc+0x4c5/0x1980 net/sched/schapi.c:1660 rtnetlinkrcvmsg+0x413/0xb80 net/core/rtnetlink.c:5571 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2496 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0x533/0x7d0 net/netlink/afnetlink.c:1345 netlinksendmsg+0x904/0xdf0 net/netlink/afnetlink.c:1921 socksendmsgnosec net/socket.c:704 [inline] socksendmsg+0xcf/0x120 net/socket.c:724 _syssendmsg+0x6e8/0x810 net/socket.c:2409 _syssendmsg+0xf3/0x170 net/socket.c:2463 _syssendmsg+0xe5/0x1b0 net/socket.c:2492 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK>(CVE-2021-47598)

In the Linux kernel, the following vulnerability has been resolved:

drm/nouveau: fix off by one in BIOS boundary checking

Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console.

This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed.(CVE-2022-48732)

In the Linux kernel, the following vulnerability has been resolved:

net: fix information leakage in /proc/net/ptype

In one net namespace, after creating a packet socket without binding it to a device, users in other net namespaces can observe the new packet_type added by this packet socket by reading /proc/net/ptype file. This is minor information leakage as packet socket is namespace aware.

Add a net pointer in packet_type to keep the net namespace of of corresponding packet socket. In ptype_seq_show, this net pointer must be checked when it is not NULL.(CVE-2022-48757)

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix hang in usbkillurb by adding memory barriers

The syzbot fuzzer has identified a bug in which processes hang waiting for usbkillurb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received.

The reason is memory-access ordering on SMP systems. In outline form, usbkillurb() and _usbhcdgivebackurb() operating concurrently on different CPUs perform the following actions:

CPU 0 CPU 1 ---------------------------- --------------------------------- usbkillurb(): _usbhcdgivebackurb(): ... ... atomicinc(&urb->reject); atomicdec(&urb->usecount); ... ... waitevent(usbkillurbqueue, atomicread(&urb->usecount) == 0); if (atomicread(&urb->reject)) wakeup(&usbkillurbqueue);

Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is:

write urb->reject, then read urb->use_count;

whereas the overall pattern of accesses on CPU 1 is:

write urb->use_count, then read urb->reject.

This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->usecount while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usbkill_urb().

The same pattern of accesses occurs in usbpoisonurb() and the failure pathway of usbhcdsubmit_urb().

The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomicinc() and atomicdec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smpmbafteratomic() memory barrier in the various routines to obtain the desired effect.

This patch adds the necessary memory barriers.(CVE-2022-48760)

In the Linux kernel, the following vulnerability has been resolved:

net: openvswitch: fix overwriting ct original tuple for ICMPv6

OVSPACKETCMDEXECUTE has 3 main attributes: - OVSPACKETATTRKEY - Packet metadata in a netlink format. - OVSPACKETATTRPACKET - Binary packet content. - OVSPACKETATTRACTIONS - Actions to execute on the packet.

OVSPACKETATTRKEY is parsed first to populate swflow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers.

Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet.

It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ctorig' that holds the original tuple conntrack metadata parsed from the OVSPACKETATTRKEY.

ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten.

The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace.

ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue.

Initializing the whole thing before parsing is needed because ND packet may not contain all the options.

The issue only affects the OVSPACKETCMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed.(CVE-2024-38558)

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: fix potential memory leak in vfiointxenable()

If vfioirqctx_alloc() failed will lead to 'name' memory leak.(CVE-2024-38632)

In the Linux kernel, the following vulnerability has been resolved:

kdb: Fix buffer overflow during tab-complete

Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer.

Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around.(CVE-2024-39480)

In the Linux kernel, the following vulnerability has been resolved:

bonding: Fix out-of-bounds read in bondoptionarpiptargets_set()

In function bondoptionarpiptargets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read.

BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xd9/0x150 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:364 [inline] printreport+0xc1/0x5e0 mm/kasan/report.c:475 kasanreport+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 _fortifystrlen include/linux/fortify-string.h:210 [inline] in4pton+0xa3/0x3f0 net/core/utils.c:130 bondoptionarpiptargetsset+0xc2/0x910 drivers/net/bonding/bondoptions.c:1201 _bondoptset+0x2a4/0x1030 drivers/net/bonding/bondoptions.c:767 _bondoptsetnotify+0x48/0x150 drivers/net/bonding/bondoptions.c:792 bondopttrysetrtnl+0xda/0x160 drivers/net/bonding/bondoptions.c:817 bondingsysfsstoreoption+0xa1/0x120 drivers/net/bonding/bondsysfs.c:156 devattrstore+0x54/0x80 drivers/base/core.c:2366 sysfskfwrite+0x114/0x170 fs/sysfs/file.c:136 kernfsfopwriteiter+0x337/0x500 fs/kernfs/file.c:334 callwriteiter include/linux/fs.h:2020 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x96a/0xd80 fs/readwrite.c:584 ksyswrite+0x122/0x250 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0x40/0x110 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x63/0x6b ---[ end trace ]---

Fix it by adding a check of string length before using it.(CVE-2024-39487)

In the Linux kernel, the following vulnerability has been resolved:

arm64: asm-bug: Add .align 2 to the end of _BUGENTRY

When CONFIGDEBUGBUGVERBOSE=n, we fail to add necessary padding bytes to bug_table entries, and as a result the last entry in a bug table will be ignored, potentially leading to an unexpected panic(). All prior entries in the table will be handled correctly.

The arm64 ABI requires that struct fields of up to 8 bytes are naturally-aligned, with padding added within a struct such that struct are suitably aligned within arrays.

When CONFIGDEBUGBUGVERPOSE=y, the layout of a bug_entry is:

struct bug_entry {
    signed int      bug_addr_disp;  // 4 bytes
    signed int      file_disp;  // 4 bytes
    unsigned short  line;       // 2 bytes
    unsigned short  flags;      // 2 bytes
}

... with 12 bytes total, requiring 4-byte alignment.

When CONFIGDEBUGBUGVERBOSE=n, the layout of a bug_entry is:

struct bug_entry {
    signed int      bug_addr_disp;  // 4 bytes
    unsigned short  flags;      // 2 bytes
    < implicit padding >      // 2 bytes
}

... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing padding, requiring 4-byte alginment.

When we create a bugentry in assembly, we align the start of the entry to 4 bytes, which implicitly handles padding for any prior entries. However, we do not align the end of the entry, and so when CONFIGDEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding bytes.

For the main kernel image this is not a problem as find_bug() doesn't depend on the trailing padding bytes when searching for entries:

for (bug = __start___bug_table; bug < __stop___bug_table; ++bug)
    if (bugaddr == bug_addr(bug))
        return bug;

However for modules, modulebugfinalize() depends on the trailing bytes when calculating the number of entries:

mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);

... and as the last bug_entry lacks the necessary padding bytes, this entry will not be counted, e.g. in the case of a single entry:

sechdrs[i].sh_size == 6
sizeof(struct bug_entry) == 8;

sechdrs[i].sh_size / sizeof(struct bug_entry) == 0;

Consequently modulefindbug() will miss the last bug_entry when it does:

for (i = 0; i < mod->num_bugs; ++i, ++bug)
    if (bugaddr == bug_addr(bug))
        goto out;

... which can lead to a kenrel panic due to an unhandled bug.

This can be demonstrated with the following module:

static int __init buginit(void)
{
    WARN(1, "hello\n");
    return 0;
}

static void __exit bugexit(void)
{
}

module_init(buginit);
module_exit(bugexit);
MODULE_LICENSE("GPL");

... which will trigger a kernel panic when loaded:

------------[ cut here ]------------
hello
Unexpected kernel BRK exception at EL1
Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in: hello(O+)
CPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8
Hardware name: linux,dummy-virt (DT)
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : buginit+0x18/0x1000 [hello]
lr : buginit+0x18/0x1000 [hello]
sp : ffff800080533ae0
x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000
x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58
x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0
x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006
x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720
x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312
x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8
x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000
x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0
Call trace:
 buginit+0x18/0x1000 [hello]
 do_one_initcall+0x80/0x1c8
 do_init_module+0x60/0x218
 load_module+0x1ba4/0x1d70
 __do_sys_init_module+0x198/0x1d0
 __arm64_sys_init_module+0x1c/0x28
 invoke_syscall+0x48/0x114
 el0_svc

---truncated---(CVE-2024-39488)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: sr: fix memleak in seg6hmacinit_algo

seg6hmacinit_algo returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms.

Update seg6hmacexit to only free the memory when allocated, so we can reuse the code directly.(CVE-2024-39489)