From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30562817 for ; Wed, 17 Apr 2024 10:31:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713349860; cv=none; b=hJKj/o+0+MylraDYwO1X36threqquD8LpaHDk+arJIWofGjI7kloc8ln0ZLnNozpue6Pc9jmi6IutJc3wN270FCKAv/Fbaq80eKzW8FSVgi4WTIU/ep/YVTxvWmcZCWeO9zXvwKPNM5kgLVDU8OHM1Stg+Oq61dSkIXm67GfLwU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713349860; c=relaxed/simple; bh=NIW0/kZ1L/p9ngt2ckAWzYYnv5H3B3Xgz2DsIR/aHfQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=s6s7ILbCJgGGiSIydQqa6L19JHqw6l2ggAfxizVFik11qoqAYnHX98J/XxnMoodeFAlj41qBIm7BoMr9yUnV+PsI6LFKhRJqsXzD/BYy/gYJBwz8OurhlhRfEVZuaLP9ZfYZ4qSAVR3ZSfJXGuZStu/Cor3WNabjY8t4rGb6Pvs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Q5uJCHes; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Q5uJCHes" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A807BC072AA; Wed, 17 Apr 2024 10:30:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1713349860; bh=NIW0/kZ1L/p9ngt2ckAWzYYnv5H3B3Xgz2DsIR/aHfQ=; h=From:To:Cc:Subject:Date:Reply-to:From; b=Q5uJCHestpSXuG9+ZUuerD6OqxIjpgcw/Ay/SMIn48qvn04fO9dfEM36hHsmI6ZGO /aGZ4YbKTGktvOlIhe6bjqIJ7EolfZYx1gbtsVU2sLDm+G3NV2WfCoOoZxMRVZuHuT NwSmbMZrcw4o+p0U2C3LyItI8YTPUSle6NC7AHcQ= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2024-26870: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 Date: Wed, 17 Apr 2024 12:28:45 +0200 Message-ID: <2024041738-CVE-2024-26870-7aea@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4121; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=NIW0/kZ1L/p9ngt2ckAWzYYnv5H3B3Xgz2DsIR/aHfQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDGnyS8ISPnHwCES2/QyraY7Lzv4ZXPt0eteyYzWMr05Lr HJ9GLCnI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbyZzfDgjmd+9nzlrfsa5QN 1JxmLu/Qsu6ePcNckfvPD5qE13591px6gXv+VuUsucTPAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4_listxattr() does not return an error because either generic_listxattr() or nfs4_listxattr_nfs4_label() consumes exactly all the bytes then size is 0 when calling nfs4_listxattr_nfs4_user() which then triggers the following kernel BUG: [ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopy_abort+0x70/0xa0 [ 99.416227] __check_heap_object+0x134/0x158 [ 99.416505] check_heap_object+0x150/0x188 [ 99.416696] __check_object_size.part.0+0x78/0x168 [ 99.416886] __check_object_size+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] path_listxattr+0x78/0xe0 [ 99.417476] __arm64_sys_listxattr+0x28/0x40 [ 99.417723] invoke_syscall+0x78/0x100 [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 [ 99.418186] do_el0_svc+0x24/0x38 [ 99.418376] el0_svc+0x3c/0x110 [ 99.418554] el0t_64_sync_handler+0x120/0x130 [ 99.418788] el0t_64_sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', thus calling lisxattr() with size = 16 will trigger the bug. Add check on nfs4_listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size. The Linux kernel CVE team has assigned CVE-2024-26870 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit 012a211abd5d and fixed in 5.10.214 with commit 4403438eaca6 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 5.15.153 with commit 9d52865ff282 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 6.1.83 with commit 06e828b3f1b2 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 6.6.23 with commit 79cdcc765969 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 6.7.11 with commit 80365c9f9601 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 6.8.2 with commit 23bfecb4d852 Issue introduced in 5.9 with commit 012a211abd5d and fixed in 6.9-rc1 with commit 251a658bbfce Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26870 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfs/nfs4proc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768 https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65