CVE-2024-26957

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26957
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26957.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26957
Related
Published
2024-05-01T06:15:11Z
Modified
2024-11-05T10:50:05.100245Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

s390/zcrypt: fix reference counting on zcrypt card objects

Tests with hot-plugging crytpo cards on KVM guests with debug kernel build revealed an use after free for the load field of the struct zcrypt_card. The reason was an incorrect reference handling of the zcrypt card object which could lead to a free of the zcrypt card object while it was still in use.

This is an example of the slab message:

kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
kernel:  kmalloc_trace+0x3f2/0x470
kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]
kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
kernel:  ap_device_probe+0x15c/0x290
kernel:  really_probe+0xd2/0x468
kernel:  driver_probe_device+0x40/0xf0
kernel:  __device_attach_driver+0xc0/0x140
kernel:  bus_for_each_drv+0x8c/0xd0
kernel:  __device_attach+0x114/0x198
kernel:  bus_probe_device+0xb4/0xc8
kernel:  device_add+0x4d2/0x6e0
kernel:  ap_scan_adapter+0x3d0/0x7c0
kernel:  ap_scan_bus+0x5a/0x3b0
kernel:  ap_scan_bus_wq_callback+0x40/0x60
kernel:  process_one_work+0x26e/0x620
kernel:  worker_thread+0x21c/0x440
kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
kernel:  kfree+0x37e/0x418
kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]
kernel:  ap_device_remove+0x4c/0xe0
kernel:  device_release_driver_internal+0x1c4/0x270
kernel:  bus_remove_device+0x100/0x188
kernel:  device_del+0x164/0x3c0
kernel:  device_unregister+0x30/0x90
kernel:  ap_scan_adapter+0xc8/0x7c0
kernel:  ap_scan_bus+0x5a/0x3b0
kernel:  ap_scan_bus_wq_callback+0x40/0x60
kernel:  process_one_work+0x26e/0x620
kernel:  worker_thread+0x21c/0x440
kernel:  kthread+0x150/0x168
kernel:  __ret_from_fork+0x3c/0x58
kernel:  ret_from_fork+0xa/0x30
kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........
kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.
kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........
kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
kernel: Call Trace:
kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8
kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590
kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
kernel:

---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.216-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.85-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.12-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}