CVE-2024-56686 – ext4: fix race in buffer_head read fault injection
https://notcve.org/view.php?id=CVE-2024-56686
In the Linux kernel, the following vulnerability has been resolved: ext4: fix race in buffer_head read fault injection When I enabled ext4 debug for fault injection testing, I encountered the following warning: EXT4-fs error (device sda): ext4_read_inode_bitmap:201: comm fsstress: Cannot read inode bitmap - block_group = 8, inode_bitmap = 1051 WARNING: CPU: 0 PID: 511 at fs/buffer.c:1181 mark_buffer_dirty+0x1b3/0x1d0 The root cause of the issue lies in the improper implementation of ext4's buffer_head read fault injection. The actual completion of buffer_head read and the buffer_head fault injection are not atomic, which can lead to the uptodate flag being cleared on normally used buffer_heads in race conditions. [CPU0] [CPU1] [CPU2] ext4_read_inode_bitmap ext4_read_bh() <bh read complete> ext4_read_inode_bitmap if (buffer_uptodate(bh)) return bh jbd2_journal_commit_transaction __jbd2_journal_refile_buffer __jbd2_journal_unfile_buffer __jbd2_journal_temp_unlink_buffer ext4_simulate_fail_bh() clear_buffer_uptodate mark_buffer_dirty <report warning> WARN_ON_ONCE(!buffer_uptodate(bh)) The best approach would be to perform fault injection in the IO completion callback function, rather than after IO completion. However, the IO completion callback function cannot get the fault injection code in sb. Fix it by passing the result of fault injection into the bh read function, we simulate faults within the bh read function itself. This requires adding an extra parameter to the bh read functions that need fault injection. • https://git.kernel.org/stable/c/46f870d690fecc792a66730dcbbf0aa109f5f9ab https://git.kernel.org/stable/c/77035e4d27e15f87ea55929c8bb8fb1970129e2f https://git.kernel.org/stable/c/25a5acf88fed59e060405bbb48098f4a3a2c2adc https://git.kernel.org/stable/c/61832ee7fa2fbd569d129379e795038abfb0d128 https://git.kernel.org/stable/c/2f3d93e210b9c2866c8b3662adae427d5bf511ec •
CVE-2024-56681 – crypto: bcm - add error check in the ahash_hmac_init function
https://notcve.org/view.php?id=CVE-2024-56681
In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - add error check in the ahash_hmac_init function The ahash_init functions may return fails. The ahash_hmac_init should not return ok when ahash_init returns error. For an example, ahash_init will return -ENOMEM when allocation memory is error. • https://git.kernel.org/stable/c/9d12ba86f818aa9cfe9f01b750336aa441f2ffa2 https://git.kernel.org/stable/c/8f1a9a960b1107bd0e0ec3736055f5ed0e717edf https://git.kernel.org/stable/c/75e1e38e5d80d6d9011b7322698ffba3dd3db30a https://git.kernel.org/stable/c/28f8ffa945f7d7150463e15097ea73b19529d6f5 https://git.kernel.org/stable/c/4ea3e3b761e371102bb1486778e2f8dbc9e37413 https://git.kernel.org/stable/c/05f0a3f5477ecaa1cf46448504afe9e7c2e96fcc https://git.kernel.org/stable/c/ae5253313e0ea5f00c06176074592b7f493c8546 https://git.kernel.org/stable/c/ee36db8e8203420e6d5c42eb9428920c2 •
CVE-2024-56679 – octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c
https://notcve.org/view.php?id=CVE-2024-56679
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c Add error pointer check after calling otx2_mbox_get_rsp(). • https://git.kernel.org/stable/c/ab58a416c93f134b72ec7e10d8d74509c3985243 https://git.kernel.org/stable/c/785c6758ea32aca73ba9331f7d902f7ce9a25757 https://git.kernel.org/stable/c/9265b6ee754226f61bd122ec57141a781d4e0dcb https://git.kernel.org/stable/c/52c63a6a27d3178fab533fcfb4baa2ed5b8608a3 https://git.kernel.org/stable/c/4b88b202cf1ae79159a94fff9500f9be31559235 https://git.kernel.org/stable/c/d4d5139d280f5837f16d116614c05c2b4eeaf28f https://git.kernel.org/stable/c/0fbc7a5027c6f7f2c785adae3dcec22b2f2b69b3 •
CVE-2024-56678 – powerpc/mm/fault: Fix kfence page fault reporting
https://notcve.org/view.php?id=CVE-2024-56678
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm/fault: Fix kfence page fault reporting copy_from_kernel_nofault() can be called when doing read of /proc/kcore. /proc/kcore can have some unmapped kfence objects which when read via copy_from_kernel_nofault() can cause page faults. Since *_nofault() functions define their own fixup table for handling fault, use that instead of asking kfence to handle such faults. Hence we search the exception tables for the nip which generated the fault. If there is an entry then we let the fixup table handler handle the page fault by returning an error from within ___do_page_fault(). This can be easily triggered if someone tries to do dd from /proc/kcore. eg. dd if=/proc/kcore of=/dev/null bs=1M Some example false negatives: =============================== BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0 Invalid read at 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0 Use-after-free read at 0xc0000000fe050000 (in kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec • https://git.kernel.org/stable/c/90cbac0e995dd92f7bcf82f74aa50250bf194a4a https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6 https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5 https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121 https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43 https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933 •
CVE-2024-56672 – blk-cgroup: Fix UAF in blkcg_unpin_online()
https://notcve.org/view.php?id=CVE-2024-56672
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> ... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30 Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online(). Fix it by reading the parent pointer before destroying the blkcg's blkg's. • https://git.kernel.org/stable/c/4308a434e5e08c78676aa66bc626ef78cbef0883 https://git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199bcea241ecb0d5c https://git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaab79f791fedaf8 https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1ad https://git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf08f98e58d3d7af •