CVE-2024-26957
Vulnerability from cvelistv5
Published
2024-05-01 05:19
Modified
2024-12-19 08:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix reference counting on zcrypt card objects Tests with hot-plugging crytpo cards on KVM guests with debug kernel build revealed an use after free for the load field of the struct zcrypt_card. The reason was an incorrect reference handling of the zcrypt card object which could lead to a free of the zcrypt card object while it was still in use. This is an example of the slab message: kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43 kernel: kmalloc_trace+0x3f2/0x470 kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt] kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4] kernel: ap_device_probe+0x15c/0x290 kernel: really_probe+0xd2/0x468 kernel: driver_probe_device+0x40/0xf0 kernel: __device_attach_driver+0xc0/0x140 kernel: bus_for_each_drv+0x8c/0xd0 kernel: __device_attach+0x114/0x198 kernel: bus_probe_device+0xb4/0xc8 kernel: device_add+0x4d2/0x6e0 kernel: ap_scan_adapter+0x3d0/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43 kernel: kfree+0x37e/0x418 kernel: zcrypt_card_put+0x54/0x80 [zcrypt] kernel: ap_device_remove+0x4c/0xe0 kernel: device_release_driver_internal+0x1c4/0x270 kernel: bus_remove_device+0x100/0x188 kernel: device_del+0x164/0x3c0 kernel: device_unregister+0x30/0x90 kernel: ap_scan_adapter+0xc8/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: kthread+0x150/0x168 kernel: __ret_from_fork+0x3c/0x58 kernel: ret_from_fork+0xa/0x30 kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff) kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88 kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........ kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk. kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........ kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2 kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux) kernel: Call Trace: kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120 kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140 kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8 kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8 kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0 kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8 kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8 kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590 kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0 kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0 kernel: ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "7e500849fa55",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "9daddee03de3",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "6470078ab3d8",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "a55677878b93",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "b7f6c3630eb3",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "a64ab862e84e",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "befb7f889594",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "394b6d8bbdf9",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              },
              {
                "lessThan": "50ed48c80fec",
                "status": "affected",
                "version": "1da177e4c3f4",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26957",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T15:58:32.988246Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T15:58:36.584Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.861Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/crypto/zcrypt_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e500849fa558879a1cde43f80c7c048c2437058",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9daddee03de3f231012014dab8ab2b277a116a55",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6470078ab3d8f222115e11c4ec67351f3031b3dd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a55677878b93e9ebc31f66d0e2fb93be5e7836a6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b7f6c3630eb3f103115ab0d7613588064f665d0d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a64ab862e84e3e698cd351a87cdb504c7fc575ca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "befb7f889594d23e1b475720cf93efd2f77df000",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "50ed48c80fecbe17218afed4f8bed005c802976c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/crypto/zcrypt_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.312",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.274",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [\u003c00000000ca5ab5b8\u003e] dump_stack_lvl+0x90/0x120\n    kernel:  [\u003c00000000c99d78bc\u003e] check_bytes_and_report+0x114/0x140\n    kernel:  [\u003c00000000c99d53cc\u003e] check_object+0x334/0x3f8\n    kernel:  [\u003c00000000c99d820c\u003e] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [\u003c00000000c99d852e\u003e] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [\u003c00000000c99d94ec\u003e] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [\u003c00000000c99d9e38\u003e] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [\u003c00000000c99dc8dc\u003e] __kmalloc+0x434/0x590\n    kernel:  [\u003c00000000c9b4c0ce\u003e] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [\u003c00000000c9b908a2\u003e] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:51:11.577Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058"
        },
        {
          "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55"
        },
        {
          "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000"
        },
        {
          "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"
        },
        {
          "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c"
        }
      ],
      "title": "s390/zcrypt: fix reference counting on zcrypt card objects",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26957",
    "datePublished": "2024-05-01T05:19:00.134Z",
    "dateReserved": "2024-02-19T14:20:24.200Z",
    "dateUpdated": "2024-12-19T08:51:11.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26957\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:11.953\",\"lastModified\":\"2024-11-21T09:03:29.263\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/zcrypt: fix reference counting on zcrypt card objects\\n\\nTests with hot-plugging crytpo cards on KVM guests with debug\\nkernel build revealed an use after free for the load field of\\nthe struct zcrypt_card. The reason was an incorrect reference\\nhandling of the zcrypt card object which could lead to a free\\nof the zcrypt card object while it was still in use.\\n\\nThis is an example of the slab message:\\n\\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\\n    kernel:  kmalloc_trace+0x3f2/0x470\\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\\n    kernel:  ap_device_probe+0x15c/0x290\\n    kernel:  really_probe+0xd2/0x468\\n    kernel:  driver_probe_device+0x40/0xf0\\n    kernel:  __device_attach_driver+0xc0/0x140\\n    kernel:  bus_for_each_drv+0x8c/0xd0\\n    kernel:  __device_attach+0x114/0x198\\n    kernel:  bus_probe_device+0xb4/0xc8\\n    kernel:  device_add+0x4d2/0x6e0\\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\\n    kernel:  ap_scan_bus+0x5a/0x3b0\\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\\n    kernel:  process_one_work+0x26e/0x620\\n    kernel:  worker_thread+0x21c/0x440\\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\\n    kernel:  kfree+0x37e/0x418\\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\\n    kernel:  ap_device_remove+0x4c/0xe0\\n    kernel:  device_release_driver_internal+0x1c4/0x270\\n    kernel:  bus_remove_device+0x100/0x188\\n    kernel:  device_del+0x164/0x3c0\\n    kernel:  device_unregister+0x30/0x90\\n    kernel:  ap_scan_adapter+0xc8/0x7c0\\n    kernel:  ap_scan_bus+0x5a/0x3b0\\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\\n    kernel:  process_one_work+0x26e/0x620\\n    kernel:  worker_thread+0x21c/0x440\\n    kernel:  kthread+0x150/0x168\\n    kernel:  __ret_from_fork+0x3c/0x58\\n    kernel:  ret_from_fork+0xa/0x30\\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\\n    kernel: Call Trace:\\n    kernel:  [\u003c00000000ca5ab5b8\u003e] dump_stack_lvl+0x90/0x120\\n    kernel:  [\u003c00000000c99d78bc\u003e] check_bytes_and_report+0x114/0x140\\n    kernel:  [\u003c00000000c99d53cc\u003e] check_object+0x334/0x3f8\\n    kernel:  [\u003c00000000c99d820c\u003e] alloc_debug_processing+0xc4/0x1f8\\n    kernel:  [\u003c00000000c99d852e\u003e] get_partial_node.part.0+0x1ee/0x3e0\\n    kernel:  [\u003c00000000c99d94ec\u003e] ___slab_alloc+0xaf4/0x13c8\\n    kernel:  [\u003c00000000c99d9e38\u003e] __slab_alloc.constprop.0+0x78/0xb8\\n    kernel:  [\u003c00000000c99dc8dc\u003e] __kmalloc+0x434/0x590\\n    kernel:  [\u003c00000000c9b4c0ce\u003e] ext4_htree_store_dirent+0x4e/0x1c0\\n    kernel:  [\u003c00000000c9b908a2\u003e] htree_dirblock_to_tree+0x17a/0x3f0\\n    kernel: \\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: s390/zcrypt: corrige el recuento de referencias en los objetos de la tarjeta zcrypt. Las pruebas con tarjetas crypto de conexi\u00f3n en caliente en invitados KVM con compilaci\u00f3n del kernel de depuraci\u00f3n revelaron un use after free el campo de carga de la estructura zcrypt_card . El motivo fue un manejo de referencia incorrecto del objeto de la tarjeta zcrypt que podr\u00eda provocar la liberaci\u00f3n del objeto de la tarjeta zcrypt mientras a\u00fan estaba en uso. Este es un ejemplo del mensaje de losa: kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. Primer byte 0x68 en lugar de 0x6b kernel: Asignado en zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43 kernel: kmalloc_trace+0x3f2/0x470 kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt] kernel: zcrypt_cex4_card_probe+0x26/ 0x380 [zcrypt_cex4] kernel: ap_device_probe+0x15c/0x290 kernel: Actually_probe+0xd2/0x468 kernel: driver_probe_device+0x40/0xf0 kernel: __device_attach_driver+0xc0/0x140 kernel: bus_for_each_drv+0x8c/0xd0 kernel: __device_ adjuntar+0x114/0x198 kernel: bus_probe_device+ Kernel 0xb4/0xc8: device_add+0x4d2/0x6e0 kernel: ap_scan_adapter+0x3d0/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: Process_one_work+0x26e/0x620 kernel: Kernel x21c/0x440: liberado en zcrypt_card_put +0x54/0x80 [zcrypt] edad=9024 cpu=3 pid=43 kernel: kfree+0x37e/0x418 kernel: zcrypt_card_put+0x54/0x80 [zcrypt] kernel: ap_device_remove+0x4c/0xe0 kernel: device_release_driver_internal+0x1c4/0x270 kernel: bus_remove_device +0x100/0x188 kernel: device_del+0x164/0x3c0 kernel: device_unregister+0x30/0x90 kernel: ap_scan_adapter+0xc8/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: N\u00facleo 26e/0x620: trabajador_thread+ Kernel 0x21c/0x440: kthread+0x150/0x168 kernel: __ret_from_fork+0x3c/0x58 kernel: ret_from_fork+0xa/0x30 kernel: Slab 0x00000372022169c0 objetos=20 usados=18 fp=0x00000000885a7c88 3ffff00000000a00(conjunto de trabajo|losa|nodo=0|zona =1|lastcpupid=0x1ffff) kernel: Objeto 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88 kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........ kernel: Objeto 00000000885a74 b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Objeto 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk kkkkkkkk kernel: Objeto 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkk kernel: Objeto 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkk kernel: Objeto 000000 00885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel : Objeto 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkhKkkk. kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb bb ........ kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ kernel: CPU: 0 PID: 387 Comm: systemd -udevd Not tainted 6.8.0-HF #2 kernel: Nombre del hardware: IBM 3931 A01 704 (KVM/Linux) kernel: Call Trace: kernel: [\u0026lt;00000000ca5ab5b8\u0026gt;] dump_stack_lvl+0x90/0x120 kernel: [\u0026lt;00000000c99d78bc\u0026gt;] check_bytes_and_report +0x114/0x140 kernel: [\u0026lt;00000000c99d53cc\u0026gt;] check_object+0x334/0x3f8 kernel: [\u0026lt;00000000c99d820c\u0026gt;] alloc_debug_processing+0xc4/0x1f8 kernel: [\u0026lt;00000000c99d852e\u0026gt;] +0x1ee/0x3e0 n\u00facleo: [\u0026lt;00000000c99d94ec\u0026gt; ] ___slab_alloc+0xaf4/0x13c8 kernel: [\u0026lt;00000000c99d9e38\u0026gt;] __slab_alloc.constprop.0+0x78/0xb8 kernel: [\u0026lt;00000000c99dc8dc\u0026gt;] __kmalloc+0x434/0x590 kernel: [\u0026lt;00000000c9b4c0 ce\u0026gt;] ext4_htree_store_dirent+0x4e/0x1c0 kernel: [\u0026lt; 00000000c9b908a2\u0026gt;] htree_dirblock_to_tree+0x17a/0x3f0 kernel: ---truncado---\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.