In the Linux kernel, the following vulnerability has been resolved:
fix bitmap corruption on closerange() with CLOSERANGE_UNSHARE
copyfdbitmaps(new, old, count) is expected to copy the first count/BITSPERLONG bits from old->fullfdsbits[] and fill the rest with zeroes. What it does is copying enough words (BITSTOLONGS(count/BITSPERLONG)), then memsets the rest. That works fine, if all bits past the cutoff point are clear. Otherwise we are risking garbage from the last word we'd copied.
For most of the callers that is true - expandfdtable() has count equal to old->maxfds, so there's no open descriptors past count, let alone fully occupied words in ->openfds[], which is what bits in ->fullfds_bits[] correspond to.
The other caller (dupfd()) passes sanefdtablesize(oldfdt, maxfds), which is the smallest multiple of BITSPERLONG that covers all opened descriptors below maxfds. In the common case (copying on fork()) maxfds is ~0U, so all opened descriptors will be below it and we are fine, by the same reasons why the call in expandfdtable() is safe.
Unfortunately, there is a case where maxfds is less than that and where we might, indeed, end up with junk in ->fullfdsbits[] - closerange(from, to, CLOSERANGEUNSHARE) with * descriptor table being currently shared * 'to' being above the current capacity of descriptor table * 'from' being just under some chunk of opened descriptors. In that case we end up with observably wrong behaviour - e.g. spawn a child with CLONEFILES, get all descriptors in range 0..127 open, then closerange(64, ~0U, CLOSERANGEUNSHARE) and watch dup(0) ending up with descriptor #128, despite #64 being observably not open.
The minimally invasive fix would be to deal with that in dupfd(). If this proves to add measurable overhead, we can go that way, but let's try to fix copyfd_bitmaps() first.
Reproducer added to tools/testing/selftests/core/closerangetest.c
[
{
"deprecated": false,
"id": "CVE-2024-45025-076731df",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "tools/testing/selftests/core/close_range_test.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"219139376158339616918989515835020819487"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-0b337dcb",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-105adf76",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-10f7d0ea",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-1263cd64",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-12b5154f",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-154bfd66",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "tools/testing/selftests/core/close_range_test.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"219139376158339616918989515835020819487"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-1b326ab3",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"31267120628031518573287074943470843010",
"242040990304344641564721541798886789914"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-1d956bed",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-1e7c0e6a",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"166420519324287240400053675362624114031",
"282825940731260021526892691720438634813"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe5bf14881701119aeeda7cf685f3c226c7380df"
},
{
"deprecated": false,
"id": "CVE-2024-45025-20da2ba4",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-3e2ab217",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe5bf14881701119aeeda7cf685f3c226c7380df"
},
{
"deprecated": false,
"id": "CVE-2024-45025-4ae3d774",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe5bf14881701119aeeda7cf685f3c226c7380df"
},
{
"deprecated": false,
"id": "CVE-2024-45025-4c41ee7f",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-4cde9786",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "tools/testing/selftests/core/close_range_test.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"219139376158339616918989515835020819487"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-5d215308",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
},
{
"deprecated": false,
"id": "CVE-2024-45025-60b8dc8f",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-7f4a3c5d",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"31267120628031518573287074943470843010",
"242040990304344641564721541798886789914"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-7f9ca477",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
},
{
"deprecated": false,
"id": "CVE-2024-45025-858dddd0",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "tools/testing/selftests/core/close_range_test.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"219139376158339616918989515835020819487"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
},
{
"deprecated": false,
"id": "CVE-2024-45025-8fbb0902",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-9a961dca",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-9b29db30",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-b39653c5",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe5bf14881701119aeeda7cf685f3c226c7380df"
},
{
"deprecated": false,
"id": "CVE-2024-45025-b9a35337",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/file.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"140035284465765255410650082339772883236",
"29975136433575091331912728737837290403",
"133642162123375836853500209721250790955",
"173311606160025494100610479998342951303",
"150907349912753874978348070302620758802",
"13072952231326433705624375765048504578",
"307336794951781585831506866267030995208",
"141595942789476713468446947273831904087",
"91316734043344225804675109495090554485",
"17669177363952748274268706434252583782",
"238615743167854248002738352656025406960",
"282358657425335833032920371374496669174",
"117827988711240626760064772734827518721",
"285375823315558974313408588658319358848",
"280144910057584759187979523553620317294",
"78168531628797276635700476427959386798",
"140972091728740412787637758903784283002",
"244927041032436751345387641020546499903",
"5809466830644346439112514309200768592",
"294481774586885248917973390815336198565",
"32655772192783341511238565124038610367",
"191833401900674752129263562672473547863",
"144267391029736684587857210712071287508",
"5455082605868074889222238666254369476",
"141583299090213447267646160442950755876"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
},
{
"deprecated": false,
"id": "CVE-2024-45025-bc89a06e",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-be7c2cd3",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe5bf14881701119aeeda7cf685f3c226c7380df"
},
{
"deprecated": false,
"id": "CVE-2024-45025-c3b4dbac",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "tools/testing/selftests/core/close_range_test.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"219139376158339616918989515835020819487"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
},
{
"deprecated": false,
"id": "CVE-2024-45025-ca456ec4",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "dup_fd",
"file": "fs/file.c"
},
"digest": {
"length": 1622.0,
"function_hash": "321375597404339642973180570965791812089"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-d5d74baa",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-d8405404",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"31267120628031518573287074943470843010",
"242040990304344641564721541798886789914"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a2fa1472083580b6c66bdaf291f591e1170123a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-ddaf1ad5",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"31267120628031518573287074943470843010",
"242040990304344641564721541798886789914"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
},
{
"deprecated": false,
"id": "CVE-2024-45025-e9ab63d7",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "include/linux/bitmap.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"187603153362332158270770249680367891111",
"31267120628031518573287074943470843010",
"242040990304344641564721541798886789914"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
},
{
"deprecated": false,
"id": "CVE-2024-45025-ef2c709b",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fdtable",
"file": "fs/file.c"
},
"digest": {
"length": 393.0,
"function_hash": "165449564190668596343212312544332944426"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
},
{
"deprecated": false,
"id": "CVE-2024-45025-fa9ede95",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"function": "copy_fd_bitmaps",
"file": "fs/file.c"
},
"digest": {
"length": 653.0,
"function_hash": "72136500454928417410649883145299847766"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c69d18f0ac7060de724511537810f10f29a27958"
}
]