阿里云漏洞库

漏洞描述

In the Linux kernel, the following vulnerability has been resolved:

bootconfig: use memblock_free_late to free xbc memory to buddy

On the time to free xbc memory in xbc_exit(), memblock may has handed

over memory to buddy allocator. So it doesn't make sense to free memory

back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs

on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.

Following KASAN logs shows this case.

This patch fixes the xbc memory free problem by calling memblock_free()

in early xbc init error rewind path and calling memblock_free_late() in

xbc exit path to free memory to buddy allocator.

[ 9.410890] ==================================================================

[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260

[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1

[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5

[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023

[ 9.460789] Call Trace:

[ 9.463518] <TASK>

[ 9.465859] dump_stack_lvl+0x53/0x70

[ 9.469949] print_report+0xce/0x610

[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0

[ 9.478619] ? memblock_isolate_range+0x12d/0x260

[ 9.483877] kasan_report+0xc6/0x100

[ 9.487870] ? memblock_isolate_range+0x12d/0x260

[ 9.493125] memblock_isolate_range+0x12d/0x260

[ 9.498187] memblock_phys_free+0xb4/0x160

[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10

[ 9.508021] ? mutex_unlock+0x7e/0xd0

[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10

[ 9.516786] ? kernel_init_freeable+0x2d4/0x430

[ 9.521850] ? __pfx_kernel_init+0x10/0x10

[ 9.526426] xbc_exit+0x17/0x70

[ 9.529935] kernel_init+0x38/0x1e0

[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30

[ 9.538601] ret_from_fork+0x2c/0x50

[ 9.542596] ? __pfx_kernel_init+0x10/0x10

[ 9.547170] ret_from_fork_asm+0x1a/0x30

[ 9.551552] </TASK>

[ 9.555649] The buggy address belongs to the physical page:

[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30

[ 9.570821] flags: 0x200000000000000(node=0|zone=2)

[ 9.576271] page_type: 0xffffffff()

[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000

[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000

[ 9.597476] page dumped because: kasan: bad access detected

[ 9.605362] Memory state around the buggy address:

[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

[ 9.634930] ^

[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

[ 9.654675] ==================================================================

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918
https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35
https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0
https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	debian_10	linux	*		Up to (excluding) 4.19.304-1
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.209-2
	运行在以下环境
	系统	fedora_38	kernel	*		Up to (excluding) 6.8.8-100.fc38
	运行在以下环境
	系统	fedora_39	kernel	*		Up to (excluding) 6.8.8-200.fc39
	运行在以下环境
	系统	fedora_40	kernel	*		Up to (excluding) 6.8.8-300.fc40

攻击路径

N/A
攻击复杂度

N/A
权限要求

N/A
影响范围

N/A
用户交互

N/A
可用性

N/A
保密性

N/A
完整性

N/A

CWE-ID	漏洞类型

bootconfig：使用 memblock_free_late 释放 xbc 内存给 buddy (CVE-2024-26983)

漏洞描述

解决建议

参考链接

受影响软件情况