CVE-2024-56765

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/vas: Add close() callback in vasvmops struct

The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration.

The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfigclosewindows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928

[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BADPAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dumpstacklvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] printreport+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasanreport+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] _asanload8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfigclosewindows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vasmigrationhandler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseriesmigratepartition+0x4c/0x4c4 ...

[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasansavestack+0x34/0x68 [16386.256163] kasansavetrack+0x34/0x80 [16386.256175] kasansaveallocinfo+0x58/0x74 [16386.256196] _kasanslaballoc+0xb8/0xdc [16386.256209] kmemcacheallocnoprof+0x200/0x3d0 [16386.256225] vmareaalloc+0x44/0x150 [16386.256245] mmapregion+0x214/0x10c4 [16386.256265] dommap+0x5fc/0x750 [16386.256277] vmmmappgoff+0x14c/0x24c [16386.256292] ksysmmappgoff+0x20c/0x348 [16386.256303] sysmmap+0xd0/0x160 ...

[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasansavestack+0x34/0x68 [16386.256374] kasansavetrack+0x34/0x80 [16386.256384] kasansavefreeinfo+0x64/0x10c [16386.256396] _kasanslabfree+0x120/0x204 [16386.256415] kmemcachefree+0x128/0x450 [16386.256428] vmareafreercucb+0xa8/0xd8 [16386.256441] rcudobatch+0x2c8/0xcf0 [16386.256458] rcucore+0x378/0x3c4 [16386.256473] handlesoftirqs+0x20c/0x60c [16386.256495] dosoftirqownstack+0x6c/0x88 [16386.256509] dosoftirqownstack+0x58/0x88 [16386.256521] _irqexitrcu+0x1a4/0x20c [16386.256533] irqexit+0x20/0x38 [16386.256544] interruptasyncexit_prepare.constprop.0+0x18/0x2c ...

[16386.256717] Last potentially related work creation: [16386.256729] kasansavestack+0x34/0x68 [16386.256741] _kasanrecordauxstack+0xcc/0x12c [16386.256753] _callrcucommon.constprop.0+0x94/0xd04 [16386.256766] vmareafree+0x28/0x3c [16386.256778] removevma+0xf4/0x114 [16386.256797] dovmialignmunmap.constprop.0+0x684/0x870 [16386.256811] _vmmunmap+0xe0/0x1f8 [16386.256821] sysmunmap+0x54/0x6c [16386.256830] systemcallexception+0x1a0/0x4a0 [16386.256841] systemcallvectored_common+0x15c/0x2ec

[16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vmareastruct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718)

[16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---