diff options
author | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2024-08-11 00:12:39 +0300 |
---|---|---|
committer | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2024-08-11 00:12:39 +0300 |
commit | 848b831c34ae28e7b8132834656ad59dc6b51a87 (patch) | |
tree | 0b18a326840e661d88333ec9aee349709f3596c1 /meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch | |
parent | b4e4c3191df9ed4a6d560517b61e70cb9b3a6108 (diff) | |
download | openbmc-update.tar.xz |
Update to internal 1-1.20update
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch new file mode 100644 index 000000000..1020a2c6b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch @@ -0,0 +1,76 @@ +From 2e7ef287f07c74985f1bf2858bedc62bd9ebf155 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Date: Wed, 17 Jan 2024 09:21:02 -0800 +Subject: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work + +idev->mc_ifc_count can be written over without proper locking. + +Originally found by syzbot [1], fix this issue by encapsulating calls +to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with +mutex_lock() and mutex_unlock() accordingly as these functions +should only be called with mc_lock per their declarations. + +[1] +BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work + +write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: + mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] + ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 + addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 + addrconf_notify+0x310/0x980 + notifier_call_chain kernel/notifier.c:93 [inline] + raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 + __dev_notify_flags+0x205/0x3d0 + dev_change_flags+0xab/0xd0 net/core/dev.c:8685 + do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 + rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] + __rtnl_newlink net/core/rtnetlink.c:3717 [inline] + rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 + rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 + netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 + rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 + ... + +write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: + mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 + worker_thread+0x525/0x730 kernel/workqueue.c:2781 + ... + +Fixes: 2d9a93b4902b ("mld: convert from timer to delayed work") +Reported-by: syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000994e09060ebcdffb@google.com/ +Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Acked-by: Taehee Yoo <ap420073@gmail.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> +Link: https://lore.kernel.org/r/20240117172102.12001-1-n.zhandarovich@fintech.ru +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/ipv6/mcast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index b75d3c9d41bb50..bc6e0a0bad3c12 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -2722,8 +2722,12 @@ void ipv6_mc_down(struct inet6_dev *idev) + synchronize_net(); + mld_query_stop_work(idev); + mld_report_stop_work(idev); ++ ++ mutex_lock(&idev->mc_lock); + mld_ifc_stop_work(idev); + mld_gq_stop_work(idev); ++ mutex_unlock(&idev->mc_lock); ++ + mld_dad_stop_work(idev); + } + +-- +cgit 1.2.3-korg + |