CVE-2024-56765

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries/vas: Add close() callback in vas_vm_ops struct<br /> <br /> The mapping VMA address is saved in VAS window struct when the<br /> paste address is mapped. This VMA address is used during migration<br /> to unmap the paste address if the window is active. The paste<br /> address mapping will be removed when the window is closed or with<br /> the munmap(). But the VMA address in the VAS window is not updated<br /> with munmap() which is causing invalid access during migration.<br /> <br /> The KASAN report shows:<br /> [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8<br /> [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928<br /> <br /> [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2<br /> [16386.255128] Tainted: [B]=BAD_PAGE<br /> [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries<br /> [16386.255181] Call Trace:<br /> [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)<br /> [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764<br /> [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8<br /> [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0<br /> [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8<br /> [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc<br /> [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4<br /> ...<br /> <br /> [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:<br /> [16386.256149] kasan_save_stack+0x34/0x68<br /> [16386.256163] kasan_save_track+0x34/0x80<br /> [16386.256175] kasan_save_alloc_info+0x58/0x74<br /> [16386.256196] __kasan_slab_alloc+0xb8/0xdc<br /> [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0<br /> [16386.256225] vm_area_alloc+0x44/0x150<br /> [16386.256245] mmap_region+0x214/0x10c4<br /> [16386.256265] do_mmap+0x5fc/0x750<br /> [16386.256277] vm_mmap_pgoff+0x14c/0x24c<br /> [16386.256292] ksys_mmap_pgoff+0x20c/0x348<br /> [16386.256303] sys_mmap+0xd0/0x160<br /> ...<br /> <br /> [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:<br /> [16386.256363] kasan_save_stack+0x34/0x68<br /> [16386.256374] kasan_save_track+0x34/0x80<br /> [16386.256384] kasan_save_free_info+0x64/0x10c<br /> [16386.256396] __kasan_slab_free+0x120/0x204<br /> [16386.256415] kmem_cache_free+0x128/0x450<br /> [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8<br /> [16386.256441] rcu_do_batch+0x2c8/0xcf0<br /> [16386.256458] rcu_core+0x378/0x3c4<br /> [16386.256473] handle_softirqs+0x20c/0x60c<br /> [16386.256495] do_softirq_own_stack+0x6c/0x88<br /> [16386.256509] do_softirq_own_stack+0x58/0x88<br /> [16386.256521] __irq_exit_rcu+0x1a4/0x20c<br /> [16386.256533] irq_exit+0x20/0x38<br /> [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c<br /> ...<br /> <br /> [16386.256717] Last potentially related work creation:<br /> [16386.256729] kasan_save_stack+0x34/0x68<br /> [16386.256741] __kasan_record_aux_stack+0xcc/0x12c<br /> [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04<br /> [16386.256766] vm_area_free+0x28/0x3c<br /> [16386.256778] remove_vma+0xf4/0x114<br /> [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870<br /> [16386.256811] __vm_munmap+0xe0/0x1f8<br /> [16386.256821] sys_munmap+0x54/0x6c<br /> [16386.256830] system_call_exception+0x1a0/0x4a0<br /> [16386.256841] system_call_vectored_common+0x15c/0x2ec<br /> <br /> [16386.256868] The buggy address belongs to the object at c00000014a819670<br /> which belongs to the cache vm_area_struct of size 168<br /> [16386.256887] The buggy address is located 0 bytes inside of<br /> freed 168-byte region [c00000014a819670, c00000014a819718)<br /> <br /> [16386.256915] The buggy address belongs to the physical page:<br /> [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81<br /> [16386.256950] memcg:c0000000ba430001<br /> [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)<br /> [16386.256975] page_type: 0xfdffffff(slab)<br /> [16386<br /> ---truncated---