From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DD692416AB for ; Wed, 15 Jan 2025 13:10:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736946654; cv=none; b=NLuycuW2qmbt0d4KsjMVUIvxIx2XpBhqJDos++AQAQMRZJiiGBdOWonTHMuKa7xoE37+VhfqqbGX/Hk6dJN4pD0F90y3OuHBc8VLHLo1sjKTOYHZ6xrrnFKjzicgfppfl607v6/04U02AkwjfI9GwfjHGUfDt/RfF1SPJNHk1nQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736946654; c=relaxed/simple; bh=XzyEnczmmryBq/vTEUAiWncDpuZCwwCejH9LD7fy3Jg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=LFsyT+A6B7Vf0tzEvNzIRmVDIrlqIXUE3B1JNWJhthghdl44j+qxXHXGNpXD1vOGcxxgZZYcokQlKY7G885L250GoqkJrmYauzpQw224V1s0ZLTCgZvaGeuwOAtcE7/DCabXKNoVMbfSJjNmY7T9IRAdrItMZZEF2PrltUpaqXY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Q/KiyVTa; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Q/KiyVTa" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C6A5C4CEE4; Wed, 15 Jan 2025 13:10:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1736946653; bh=XzyEnczmmryBq/vTEUAiWncDpuZCwwCejH9LD7fy3Jg=; h=From:To:Cc:Subject:Date:Reply-to:From; b=Q/KiyVTaFFfSWFBnr3XOOOKB8j6b+itLqCygnguuf1HwGzbrTtFHW1TN3u6LLI+Ap K76gZjPRUThqMxeNqeowA+o18vqHqhSXYZxm2eO4TPn1uXeEFWcY5s62zK7CZYwfbD wfpMWIXC5klfXulqRcF8uTOGaKKwyK9MWhrNM7ro= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2024-57795: RDMA/rxe: Remove the direct link to net_device Date: Wed, 15 Jan 2025 14:10:36 +0100 Message-ID: <2025011533-CVE-2024-57795-e560@gregkh> X-Mailer: git-send-email 2.48.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4352; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=XzyEnczmmryBq/vTEUAiWncDpuZCwwCejH9LD7fy3Jg=; b=owGbwMvMwCRo6H6F97bub03G02pJDOntm0/eeTnjgtRRx3mOzo+WRPJeWnjAQe+nxt5owWsd3 R6bOypzO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAid00Z5hdkZNl/OhV0M9pb Z+IJJ6ajjJy/gxnm158+WDF1uVPi+XsF+kes2zLEdn61BAA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Remove the direct link to net_device The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889 This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295 CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 " 1). In the link [1], " infiniband syz2: set down " This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq. 2). In the link [1], " team0 (unregistering): Port device team_slave_0 removed " It indicates that before 843.251853, the net device should be freed. 3). In the link [1], " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 " This means that on 850.559070, this slab-use-after-free problem occurred. In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq, before 843.251853, the net device veth was freed. on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred. [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000 The Linux kernel CVE team has assigned CVE-2024-57795 to this issue. Affected and fixed versions =========================== Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.12.9 with commit 9f6f54e6a6863131442b40e14d1792b090c7ce21 Issue introduced in 4.8 with commit 8700e3e7c4857d28ebaa824509934556da0b3e76 and fixed in 6.13-rc6 with commit 2ac5415022d16d63d912a39a06f32f1f51140261 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-57795 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/sw/rxe/rxe.c drivers/infiniband/sw/rxe/rxe.h drivers/infiniband/sw/rxe/rxe_mcast.c drivers/infiniband/sw/rxe/rxe_net.c drivers/infiniband/sw/rxe/rxe_verbs.c drivers/infiniband/sw/rxe/rxe_verbs.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9f6f54e6a6863131442b40e14d1792b090c7ce21 https://git.kernel.org/stable/c/2ac5415022d16d63d912a39a06f32f1f51140261