ghsa-vxff-46qf-f9jx
Vulnerability from github
Published
2024-05-01 06:31
Modified
2024-12-23 15:30
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

bootconfig: use memblock_free_late to free xbc memory to buddy

On the time to free xbc memory in xbc_exit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. Following KASAN logs shows this case.

This patch fixes the xbc memory free problem by calling memblock_free() in early xbc init error rewind path and calling memblock_free_late() in xbc exit path to free memory to buddy allocator.

[ 9.410890] ================================================================== [ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 [ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1

[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 [ 9.460789] Call Trace: [ 9.463518] [ 9.465859] dump_stack_lvl+0x53/0x70 [ 9.469949] print_report+0xce/0x610 [ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 [ 9.478619] ? memblock_isolate_range+0x12d/0x260 [ 9.483877] kasan_report+0xc6/0x100 [ 9.487870] ? memblock_isolate_range+0x12d/0x260 [ 9.493125] memblock_isolate_range+0x12d/0x260 [ 9.498187] memblock_phys_free+0xb4/0x160 [ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 [ 9.508021] ? mutex_unlock+0x7e/0xd0 [ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 [ 9.516786] ? kernel_init_freeable+0x2d4/0x430 [ 9.521850] ? __pfx_kernel_init+0x10/0x10 [ 9.526426] xbc_exit+0x17/0x70 [ 9.529935] kernel_init+0x38/0x1e0 [ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 [ 9.538601] ret_from_fork+0x2c/0x50 [ 9.542596] ? __pfx_kernel_init+0x10/0x10 [ 9.547170] ret_from_fork_asm+0x1a/0x30 [ 9.551552]

[ 9.555649] The buggy address belongs to the physical page: [ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 [ 9.570821] flags: 0x200000000000000(node=0|zone=2) [ 9.576271] page_type: 0xffffffff() [ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 [ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 9.597476] page dumped because: kasan: bad access detected

[ 9.605362] Memory state around the buggy address: [ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.634930] ^ [ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.654675] ==================================================================

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-26983",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-416",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-05-01T06:15:15Z",
      severity: "HIGH",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[    9.410890] ==================================================================\n[    9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[    9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[    9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G     U             6.9.0-rc3-00208-g586b5dfb51b9 #5\n[    9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[    9.460789] Call Trace:\n[    9.463518]  <TASK>\n[    9.465859]  dump_stack_lvl+0x53/0x70\n[    9.469949]  print_report+0xce/0x610\n[    9.473944]  ? __virt_addr_valid+0xf5/0x1b0\n[    9.478619]  ? memblock_isolate_range+0x12d/0x260\n[    9.483877]  kasan_report+0xc6/0x100\n[    9.487870]  ? memblock_isolate_range+0x12d/0x260\n[    9.493125]  memblock_isolate_range+0x12d/0x260\n[    9.498187]  memblock_phys_free+0xb4/0x160\n[    9.502762]  ? __pfx_memblock_phys_free+0x10/0x10\n[    9.508021]  ? mutex_unlock+0x7e/0xd0\n[    9.512111]  ? __pfx_mutex_unlock+0x10/0x10\n[    9.516786]  ? kernel_init_freeable+0x2d4/0x430\n[    9.521850]  ? __pfx_kernel_init+0x10/0x10\n[    9.526426]  xbc_exit+0x17/0x70\n[    9.529935]  kernel_init+0x38/0x1e0\n[    9.533829]  ? _raw_spin_unlock_irq+0xd/0x30\n[    9.538601]  ret_from_fork+0x2c/0x50\n[    9.542596]  ? __pfx_kernel_init+0x10/0x10\n[    9.547170]  ret_from_fork_asm+0x1a/0x30\n[    9.551552]  </TASK>\n\n[    9.555649] The buggy address belongs to the physical page:\n[    9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[    9.570821] flags: 0x200000000000000(node=0|zone=2)\n[    9.576271] page_type: 0xffffffff()\n[    9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[    9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[    9.597476] page dumped because: kasan: bad access detected\n\n[    9.605362] Memory state around the buggy address:\n[    9.610714]  ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[    9.618786]  ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[    9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.634930]                    ^\n[    9.638534]  ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.646605]  ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.654675] ==================================================================",
   id: "GHSA-vxff-46qf-f9jx",
   modified: "2024-12-23T15:30:46Z",
   published: "2024-05-01T06:31:42Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-26983",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.