CVE-2024-26983

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26983
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26983.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26983
Related
Published
2024-05-01T06:15:15Z
Modified
2024-09-11T05:03:37.903282Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

bootconfig: use memblockfreelate to free xbc memory to buddy

On the time to free xbc memory in xbcexit(), memblock may has handed over memory to buddy allocator. So it doesn't make sense to free memory back to memblock. memblockfree() called by xbcexit() even causes UAF bugs on architectures with CONFIGARCHKEEPMEMBLOCK disabled like x86. Following KASAN logs shows this case.

This patch fixes the xbc memory free problem by calling memblockfree() in early xbc init error rewind path and calling memblockfree_late() in xbc exit path to free memory to buddy allocator.

[ 9.410890] ================================================================== [ 9.418962] BUG: KASAN: use-after-free in memblockisolaterange+0x12d/0x260 [ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1

[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 [ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 [ 9.460789] Call Trace: [ 9.463518] <TASK> [ 9.465859] dumpstacklvl+0x53/0x70 [ 9.469949] printreport+0xce/0x610 [ 9.473944] ? _virtaddrvalid+0xf5/0x1b0 [ 9.478619] ? memblockisolaterange+0x12d/0x260 [ 9.483877] kasanreport+0xc6/0x100 [ 9.487870] ? memblockisolaterange+0x12d/0x260 [ 9.493125] memblockisolaterange+0x12d/0x260 [ 9.498187] memblockphysfree+0xb4/0x160 [ 9.502762] ? _pfxmemblockphysfree+0x10/0x10 [ 9.508021] ? mutexunlock+0x7e/0xd0 [ 9.512111] ? _pfxmutexunlock+0x10/0x10 [ 9.516786] ? kernelinitfreeable+0x2d4/0x430 [ 9.521850] ? _pfxkernelinit+0x10/0x10 [ 9.526426] xbcexit+0x17/0x70 [ 9.529935] kernelinit+0x38/0x1e0 [ 9.533829] ? rawspinunlockirq+0xd/0x30 [ 9.538601] retfromfork+0x2c/0x50 [ 9.542596] ? _pfxkernelinit+0x10/0x10 [ 9.547170] retfromforkasm+0x1a/0x30 [ 9.551552] </TASK>

[ 9.555649] The buggy address belongs to the physical page: [ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 [ 9.570821] flags: 0x200000000000000(node=0|zone=2) [ 9.576271] page_type: 0xffffffff() [ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 [ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 9.597476] page dumped because: kasan: bad access detected

[ 9.605362] Memory state around the buggy address: [ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.634930] ^ [ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 9.654675] ==================================================================

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.90-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.9-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}