ghsa-7x33-7jjx-2gmh
Vulnerability from github
Published
2024-05-01 06:31
Modified
2024-06-26 00:31
Details

In the Linux kernel, the following vulnerability has been resolved:

s390/zcrypt: fix reference counting on zcrypt card objects

Tests with hot-plugging crytpo cards on KVM guests with debug kernel build revealed an use after free for the load field of the struct zcrypt_card. The reason was an incorrect reference handling of the zcrypt card object which could lead to a free of the zcrypt card object while it was still in use.

This is an example of the slab message:

kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
kernel:  kmalloc_trace+0x3f2/0x470
kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]
kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
kernel:  ap_device_probe+0x15c/0x290
kernel:  really_probe+0xd2/0x468
kernel:  driver_probe_device+0x40/0xf0
kernel:  __device_attach_driver+0xc0/0x140
kernel:  bus_for_each_drv+0x8c/0xd0
kernel:  __device_attach+0x114/0x198
kernel:  bus_probe_device+0xb4/0xc8
kernel:  device_add+0x4d2/0x6e0
kernel:  ap_scan_adapter+0x3d0/0x7c0
kernel:  ap_scan_bus+0x5a/0x3b0
kernel:  ap_scan_bus_wq_callback+0x40/0x60
kernel:  process_one_work+0x26e/0x620
kernel:  worker_thread+0x21c/0x440
kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
kernel:  kfree+0x37e/0x418
kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]
kernel:  ap_device_remove+0x4c/0xe0
kernel:  device_release_driver_internal+0x1c4/0x270
kernel:  bus_remove_device+0x100/0x188
kernel:  device_del+0x164/0x3c0
kernel:  device_unregister+0x30/0x90
kernel:  ap_scan_adapter+0xc8/0x7c0
kernel:  ap_scan_bus+0x5a/0x3b0
kernel:  ap_scan_bus_wq_callback+0x40/0x60
kernel:  process_one_work+0x26e/0x620
kernel:  worker_thread+0x21c/0x440
kernel:  kthread+0x150/0x168
kernel:  __ret_from_fork+0x3c/0x58
kernel:  ret_from_fork+0xa/0x30
kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........
kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.
kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........
kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
kernel: Call Trace:
kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8
kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590
kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
kernel:

---truncated---

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-26957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:11Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [\u003c00000000ca5ab5b8\u003e] dump_stack_lvl+0x90/0x120\n    kernel:  [\u003c00000000c99d78bc\u003e] check_bytes_and_report+0x114/0x140\n    kernel:  [\u003c00000000c99d53cc\u003e] check_object+0x334/0x3f8\n    kernel:  [\u003c00000000c99d820c\u003e] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [\u003c00000000c99d852e\u003e] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [\u003c00000000c99d94ec\u003e] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [\u003c00000000c99d9e38\u003e] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [\u003c00000000c99dc8dc\u003e] __kmalloc+0x434/0x590\n    kernel:  [\u003c00000000c9b4c0ce\u003e] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [\u003c00000000c9b908a2\u003e] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---",
  "id": "GHSA-7x33-7jjx-2gmh",
  "modified": "2024-06-26T00:31:38Z",
  "published": "2024-05-01T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.