ghsa-f6j3-h537-397p
Vulnerability from github
Published
2025-01-06 18:31
Modified
2025-01-08 00:30
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/vas: Add close() callback in vas_vm_ops struct

The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration.

The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928

[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ...

[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ...

[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ...

[16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec

[16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718)

[16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T17:15:42Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/vas: Add close() callback in vas_vm_ops struct\n\nThe mapping VMA address is saved in VAS window struct when the\npaste address is mapped. This VMA address is used during migration\nto unmap the paste address if the window is active. The paste\naddress mapping will be removed when the window is closed or with\nthe munmap(). But the VMA address in the VAS window is not updated\nwith munmap() which is causing invalid access during migration.\n\nThe KASAN report shows:\n[16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8\n[16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928\n\n[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G    B              6.11.0-rc5-nxgzip #2\n[16386.255128] Tainted: [B]=BAD_PAGE\n[16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries\n[16386.255181] Call Trace:\n[16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)\n[16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764\n[16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8\n[16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0\n[16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8\n[16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc\n[16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4\n...\n\n[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:\n[16386.256149]  kasan_save_stack+0x34/0x68\n[16386.256163]  kasan_save_track+0x34/0x80\n[16386.256175]  kasan_save_alloc_info+0x58/0x74\n[16386.256196]  __kasan_slab_alloc+0xb8/0xdc\n[16386.256209]  kmem_cache_alloc_noprof+0x200/0x3d0\n[16386.256225]  vm_area_alloc+0x44/0x150\n[16386.256245]  mmap_region+0x214/0x10c4\n[16386.256265]  do_mmap+0x5fc/0x750\n[16386.256277]  vm_mmap_pgoff+0x14c/0x24c\n[16386.256292]  ksys_mmap_pgoff+0x20c/0x348\n[16386.256303]  sys_mmap+0xd0/0x160\n...\n\n[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:\n[16386.256363]  kasan_save_stack+0x34/0x68\n[16386.256374]  kasan_save_track+0x34/0x80\n[16386.256384]  kasan_save_free_info+0x64/0x10c\n[16386.256396]  __kasan_slab_free+0x120/0x204\n[16386.256415]  kmem_cache_free+0x128/0x450\n[16386.256428]  vm_area_free_rcu_cb+0xa8/0xd8\n[16386.256441]  rcu_do_batch+0x2c8/0xcf0\n[16386.256458]  rcu_core+0x378/0x3c4\n[16386.256473]  handle_softirqs+0x20c/0x60c\n[16386.256495]  do_softirq_own_stack+0x6c/0x88\n[16386.256509]  do_softirq_own_stack+0x58/0x88\n[16386.256521]  __irq_exit_rcu+0x1a4/0x20c\n[16386.256533]  irq_exit+0x20/0x38\n[16386.256544]  interrupt_async_exit_prepare.constprop.0+0x18/0x2c\n...\n\n[16386.256717] Last potentially related work creation:\n[16386.256729]  kasan_save_stack+0x34/0x68\n[16386.256741]  __kasan_record_aux_stack+0xcc/0x12c\n[16386.256753]  __call_rcu_common.constprop.0+0x94/0xd04\n[16386.256766]  vm_area_free+0x28/0x3c\n[16386.256778]  remove_vma+0xf4/0x114\n[16386.256797]  do_vmi_align_munmap.constprop.0+0x684/0x870\n[16386.256811]  __vm_munmap+0xe0/0x1f8\n[16386.256821]  sys_munmap+0x54/0x6c\n[16386.256830]  system_call_exception+0x1a0/0x4a0\n[16386.256841]  system_call_vectored_common+0x15c/0x2ec\n\n[16386.256868] The buggy address belongs to the object at c00000014a819670\n                which belongs to the cache vm_area_struct of size 168\n[16386.256887] The buggy address is located 0 bytes inside of\n                freed 168-byte region [c00000014a819670, c00000014a819718)\n\n[16386.256915] The buggy address belongs to the physical page:\n[16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81\n[16386.256950] memcg:c0000000ba430001\n[16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)\n[16386.256975] page_type: 0xfdffffff(slab)\n[16386\n---truncated---",
  "id": "GHSA-f6j3-h537-397p",
  "modified": "2025-01-08T00:30:49Z",
  "published": "2025-01-06T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56765"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/05aa156e156ef3168e7ab8a68721945196495c17"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d9cd27105459f169993a4c5f216499a946dbf34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b2282b5084521254a2cd9742a3f4e1d5b77f843"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.