CVE-2024-26957

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/zcrypt: fix reference counting on zcrypt card objects<br /> <br /> Tests with hot-plugging crytpo cards on KVM guests with debug<br /> kernel build revealed an use after free for the load field of<br /> the struct zcrypt_card. The reason was an incorrect reference<br /> handling of the zcrypt card object which could lead to a free<br /> of the zcrypt card object while it was still in use.<br /> <br /> This is an example of the slab message:<br /> <br /> kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b<br /> kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43<br /> kernel: kmalloc_trace+0x3f2/0x470<br /> kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]<br /> kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]<br /> kernel: ap_device_probe+0x15c/0x290<br /> kernel: really_probe+0xd2/0x468<br /> kernel: driver_probe_device+0x40/0xf0<br /> kernel: __device_attach_driver+0xc0/0x140<br /> kernel: bus_for_each_drv+0x8c/0xd0<br /> kernel: __device_attach+0x114/0x198<br /> kernel: bus_probe_device+0xb4/0xc8<br /> kernel: device_add+0x4d2/0x6e0<br /> kernel: ap_scan_adapter+0x3d0/0x7c0<br /> kernel: ap_scan_bus+0x5a/0x3b0<br /> kernel: ap_scan_bus_wq_callback+0x40/0x60<br /> kernel: process_one_work+0x26e/0x620<br /> kernel: worker_thread+0x21c/0x440<br /> kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43<br /> kernel: kfree+0x37e/0x418<br /> kernel: zcrypt_card_put+0x54/0x80 [zcrypt]<br /> kernel: ap_device_remove+0x4c/0xe0<br /> kernel: device_release_driver_internal+0x1c4/0x270<br /> kernel: bus_remove_device+0x100/0x188<br /> kernel: device_del+0x164/0x3c0<br /> kernel: device_unregister+0x30/0x90<br /> kernel: ap_scan_adapter+0xc8/0x7c0<br /> kernel: ap_scan_bus+0x5a/0x3b0<br /> kernel: ap_scan_bus_wq_callback+0x40/0x60<br /> kernel: process_one_work+0x26e/0x620<br /> kernel: worker_thread+0x21c/0x440<br /> kernel: kthread+0x150/0x168<br /> kernel: __ret_from_fork+0x3c/0x58<br /> kernel: ret_from_fork+0xa/0x30<br /> kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)<br /> kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88<br /> kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........<br /> kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.<br /> kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........<br /> kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ<br /> kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2<br /> kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)<br /> kernel: Call Trace:<br /> kernel: [] dump_stack_lvl+0x90/0x120<br /> kernel: [] check_bytes_and_report+0x114/0x140<br /> kernel: [] check_object+0x334/0x3f8<br /> kernel: [] alloc_debug_processing+0xc4/0x1f8<br /> kernel: [] get_partial_node.part.0+0x1ee/0x3e0<br /> kernel: [] ___slab_alloc+0xaf4/0x13c8<br /> kernel: [] __slab_alloc.constprop.0+0x78/0xb8<br /> kernel: [] __kmalloc+0x434/0x590<br /> kernel: [] ext4_htree_store_dirent+0x4e/0x1c0<br /> kernel: [] htree_dirblock_to_tree+0x17a/0x3f0<br /> kernel: <br /> ---truncated---