Debian Linux Security Advisory 5818-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5818-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 24, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-45888 CVE-2023-52812 CVE-2024-26952 CVE-2024-26954  
                 CVE-2024-35964 CVE-2024-36244 CVE-2024-36478 CVE-2024-36914  
                 CVE-2024-36915 CVE-2024-36923 CVE-2024-38540 CVE-2024-38553  
                 CVE-2024-41080 CVE-2024-42322 CVE-2024-43868 CVE-2024-43904  
                 CVE-2024-43911 CVE-2024-44949 CVE-2024-49950 CVE-2024-49960  
                 CVE-2024-49974 CVE-2024-49986 CVE-2024-49991 CVE-2024-50012  
                 CVE-2024-50036 CVE-2024-50067 CVE-2024-50072 CVE-2024-50126  
                 CVE-2024-50215 CVE-2024-50218 CVE-2024-50228 CVE-2024-50229  
                 CVE-2024-50230 CVE-2024-50232 CVE-2024-50233 CVE-2024-50234  
                 CVE-2024-50235 CVE-2024-50236 CVE-2024-50237 CVE-2024-50242  
                 CVE-2024-50243 CVE-2024-50244 CVE-2024-50245 CVE-2024-50247  
                 CVE-2024-50249 CVE-2024-50250 CVE-2024-50251 CVE-2024-50252  
                 CVE-2024-50255 CVE-2024-50256 CVE-2024-50257 CVE-2024-50259  
                 CVE-2024-50261 CVE-2024-50262 CVE-2024-50264 CVE-2024-50265  
                 CVE-2024-50267 CVE-2024-50268 CVE-2024-50269 CVE-2024-50271  
                 CVE-2024-50272 CVE-2024-50273 CVE-2024-50276 CVE-2024-50278  
                 CVE-2024-50279 CVE-2024-50280 CVE-2024-50282 CVE-2024-50283  
                 CVE-2024-50284 CVE-2024-50286 CVE-2024-50287 CVE-2024-50290  
                 CVE-2024-50292 CVE-2024-50295 CVE-2024-50296 CVE-2024-50299  
                 CVE-2024-50301 CVE-2024-50302 CVE-2024-53042 CVE-2024-53043  
                 CVE-2024-53052 CVE-2024-53054 CVE-2024-53055 CVE-2024-53057  
                 CVE-2024-53058 CVE-2024-53059 CVE-2024-53060 CVE-2024-53061  
                 CVE-2024-53063 CVE-2024-53066 CVE-2024-53070 CVE-2024-53072  
                 CVE-2024-53081 CVE-2024-53082 CVE-2024-53088 CVE-2024-53093

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.119-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdDS8lfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QwLw/+OVgV3FTBaH3iV5PLBx/mLJH6xhNQeHzzlQXnREHfueWblf9QSCjRGHkl  
3ZlIvTKIEp7K5mNjqLBzbDjRNWijJdcDPqEp8dVET9Xwvht6AOX3C/oZpIPlLKkf  
ei0vJSUVIselsK5WfndPi19gR/Y0asKUF+XK47nchELEkZX9r+Mv36yib4z2z4b8  
K0iUtpInS5krLrqHTJbo8tJZ69C7a+U12KYGhzbDFSGM39mDhKWQ/gmloxjXHu8K  
sS84Z4SwWMll1pcjfiFVeD669zUS/VHR8Y34s2pjPwqqIejDORUZbFc6FQhP+Vk6  
PJVAAPWv0n39Ag1gQ21/BQis+b2CcC9CHWuMaG6ELQ/8HmcTCQkCOwzCCPN2woMy  
mLLK2gR6hEU+zuBs4Pg7jvdAeznbCmG28WfR9FO+WO410rWc7+IL5vcbGDGUVNu2  
vIq+R6GKqUC+6maOxc78NKFuU0c09hvK6UHiTuFlFScSI1vhg8mIxSbwWEpVlDA/  
dRXWkGneZ+2/gqUBGK31X295irixsNjvjjipMB4K28WSqeaQdJh2IMgIViL05/TL  
4jJELIIpcizck336YsfY9Ylfc0lqdqumbzZnM3ifm3nGeOc6zK5bZmn5YLxju/qk  
xmj6u8WD5je+Dm8OCWWF22SPNSJ3xoaqchKKQSYwow3G1nqEqKI=  
=lqjj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5818-1

Debian Linux Security Advisory 5817-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5817-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 23, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113                  CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117                  CVE-2024-11395Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 131.0.6778.85-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmdBrIQACgkQZF0CR8NudjdsBw/+J+eOgiIrU4hNq1Fk3HAontTf7sOIp3snoI5FvNnZ9oZT8qFbRJ+cfj17S2ZijYGoZKaqydWQgO/kh6eL/k7mHpM0KYLlALxaGevLxh3M4eJx8Il83YKVtx23Eh6G6YZ8itXZXb+E0f7jNRRAWb6S6OCwImk6incDq4k48IdB3zKKOzCTZQBb7vr1OaP+4kbjGgzGy9vv+iYNgE4sBHa3MOmIqZ4zcDxazK7ypw6W0M7UW6raeFI+pjK3nh4rjgy/UpK0u+wpRprif53rC7D5qP9vRO7wnRajw2pUoovFl+1bnpi8njwK3JbZom5ARWozEtT2nfef1nmtyXUQ5bjcKlQTW5kxrqMNwXyzCxB3N7ln1l09ubaA7TdYj0TxNQiNimeGnTULrkMTKcs1d077dZZ6XTZAUrwVZiJn8V4QxaCW3Ype7hgPsd/edRJMZT5G+J2vB86WBmKt0FyKD2fmRUuq2DGqCnbd3+5A/3krQBcwgHXAHyxkJpLWNs1bdcRlOac6BKe1N7oZeJKtofhfwRrmhilDCM85Q4OcxOY2VeSuxMEPtw6hAUoYwiuhUS4hT2DUmevPu/XtkoNE/X0WoJ9cN+hlOxqfjzhXlcyJiGk36BYKhE+KJvUsOfB5N8TqUEzGGbvOyXDy7QGsCUZJ+BwjOGKFh45L0Nb4dexvsL4==J21V-----END PGP SIGNATURE-----

Debian Security Advisory 5817-1

Red Hat Security Advisory 2024-9956-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9956.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:9956-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9956Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-38796====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315390

Red Hat Security Advisory 2024-9956-03

Red Hat Security Advisory 2024-9946-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9946.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:9946-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9946Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2024-38796====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Integer overflows in PeCoffLoaderRelocateImage (CVE-2024-38796)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2315390

Red Hat Security Advisory 2024-9946-03

Red Hat Security Advisory 2024-9945-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9945.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: haproxy security updateAdvisory ID:        RHSA-2024:9945-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9945Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2023-45539====================================================================Summary: An update for haproxy is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.Security Fix(es):* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45539References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253037

Red Hat Security Advisory 2024-9945-03

Red Hat Security Advisory 2024-9943-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9943.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel-rt security updateAdvisory ID:        RHSA-2024:9943-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9943Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2022-48796====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: blk-mq: fix IO hang from sbitmap wakeup race (CVE-2024-26671)* kernel: iommu: Fix potential use-after-free during probe (CVE-2022-48796)* kernel: mptcp: pm: Fix uaf in __timer_delete_sync (CVE-2024-46858)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2272811https://bugzilla.redhat.com/show_bug.cgi?id=2298132https://bugzilla.redhat.com/show_bug.cgi?id=2315210

Red Hat Security Advisory 2024-9943-03

Red Hat Security Advisory 2024-9942-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9942.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security updateAdvisory ID:        RHSA-2024:9942-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9942Issue date:         2024-11-25Revision:           03CVE Names:          CVE-2022-48796====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: blk-mq: fix IO hang from sbitmap wakeup race (CVE-2024-26671)* kernel: iommu: Fix potential use-after-free during probe (CVE-2022-48796)* kernel: mptcp: pm: Fix uaf in __timer_delete_sync (CVE-2024-46858)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48796References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2272811https://bugzilla.redhat.com/show_bug.cgi?id=2298132https://bugzilla.redhat.com/show_bug.cgi?id=2315210

Red Hat Security Advisory 2024-9942-03

Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Faux ChatGPT, Claude API Packages Deliver JarkaStealer

This Metasploit module exploits vulnerabilities in OpenPrinting CUPS, which is running by default on most Linux distributions. The vulnerabilities allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to the malicious printer. Successful exploitation requires user interaction, but no CUPS services need to be reachable via accessible ports. Code execution occurs in the context of the lp user. Affected versions are cups-browsed less than or equal to 2.0.1, libcupsfilters versions 2.1b1 and below, libppd versions 2.1b1 and below, and cups-filters versions 2.0.1 and below.

CUPS IPP Attributes LAN Remote Code Execution

A security-relevant race between mremap() and THP code has been discovered. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.

    SummaryI found a security-relevant race between mremap() and THP code. Reaching the buggy code typically requires the ability to create unprivileged namespaces. The bug leads to installing physical address 0 as a page table, which is likely exploitable in several ways: For example, triggering the bug in multiple processes can probably lead to unintended page table sharing, which probably can lead to stale TLB entries pointing to freed pages.I also found two other (untested) theoretical races, but those arguably might not even count as bugs, and I'm pretty sure they're not security bugs. I am including my analysis of the closely related non-issues 2 and 3 as context in case you're curious, but I think they're stuff we can deal with on the public list later (or maybe even just leave as-is). Feel free to ignore that part of this report.I will send a suggested patch for the security bug, but I think it's unclear if my patch is actually the right way to fix it.This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-12-31.For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlSecurity bug: move_normal_pmd vs MADVISE_COLLAPSEDescriptionIn mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd().move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination:        /* Clear the pmd */        pmd = *old_pmd;        pmd_clear(old_pmd);        VM_BUG_ON(!pmd_none(*new_pmd));        pmd_populate(mm, new_pmd, pmd_pgtable(pmd));        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after we have inspected the PMD entry to decide how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise):process A                      process B=========                      =========mremap  mremap_to    move_vma      move_page_tables        get_old_pmd        alloc_new_pmd                      *** PREEMPT ***                               madvise(MADV_COLLAPSE)                                 do_madvise                                   madvise_walk_vmas                                     madvise_vma_behavior                                       madvise_collapse                                         hpage_collapse_scan_file                                           collapse_file                                             retract_page_tables                                               i_mmap_lock_read(mapping)                                               pmdp_collapse_flush                                               i_mmap_unlock_read(mapping)        move_pgt_entry(NORMAL_PMD, ...)          take_rmap_locks          move_normal_pmd          drop_rmap_locksIn this case, while move_normal_pmd() expects to see a PMD entry pointing to a page table, the PMD entry has actually been cleared. So this line:pmd_populate(mm, new_pmd, pmd_pgtable(pmd));runs pmd_pgtable() on a cleared PMD entry. On typical implementations (including the X86 one), this simply masks off some bits of pmd and assumes that the remainder is a physical address - so pmd_pgtable(0) returns a pointer to the page for physical address 0. Then, pmd_populate() constructs a PMD entry that points to this physical address as a page table.So this ends up installing physical address 0 as a page table.Fixing itI guess there are two ways we could fix this:    Hold the rmap locks much more broadly in move_page_tables(). In particular, take them before inspecting the source pmd, and if we do a PMD-level move, keep them held throughout the entire move.    Add a bunch of extra recheck/retry logic.I think the first option is nicer in terms of code complexity. Moving the lock up requires a small bit of refactoring though, and the broader locking could conceivably degrade the performance of concurrent rmap access.I will send a suggested patch for the first option in a minute (and I have tested that with that patch, my reproducer no longer triggers); but we might want to do some more bikeshedding of whether this is the right way to patch it, and if yes, whether the patch is doing too little lock-dropping for performance or adds too much complexity with the lock-dropping...ReproducerI made a testcase that triggers this issue after a while and causes a splat when the kernel later tries to unmap this page table at physical address 0:#define _GNU_SOURCE#include <err.h>#include <sched.h>#include <stdio.h>#include <string.h>#include <fcntl.h>#include <signal.h>#include <stdlib.h>#include <unistd.h>#include <sys/syscall.h>#include <sys/stat.h>#include <sys/prctl.h>#include <sys/mount.h>#include <sys/mman.h>#include <sys/wait.h>#include <sys/ioctl.h>static void pin_to(int cpu) {  cpu_set_t cset;  CPU_ZERO(&cset);  CPU_SET(cpu, &cset);  if (sched_setaffinity(0, sizeof(cpu_set_t), &cset))    err(1, "set affinity");}#ifndef MADV_COLLAPSE#define MADV_COLLAPSE 25#endif#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})static void write_file(char *name, char *buf) {  int fd = SYSCHK(open(name, O_WRONLY));  if (write(fd, buf, strlen(buf)) != strlen(buf))    err(1, "write %s", name);  close(fd);}static void write_map(char *name, int outer_id) {  char buf[100];  sprintf(buf, "0 %d 1", outer_id);  write_file(name, buf);}int main(void) {  // set up new mount ns for tmpfs with THP  int outer_uid = getuid();  int outer_gid = getgid();  SYSCHK(unshare(CLONE_NEWNS|CLONE_NEWUSER));  SYSCHK(mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL));  write_file("/proc/self/setgroups", "deny");  write_map("/proc/self/uid_map", outer_uid);  write_map("/proc/self/gid_map", outer_gid);  // make tmpfs with THP  SYSCHK(mount("none", "/tmp", "tmpfs", MS_NOSUID|MS_NODEV, "huge=advise"));  pin_to(0);  while (1) {    int fd = SYSCHK(open("/tmp/a", O_RDWR|O_CREAT, 0600));    void *ptr = SYSCHK(mmap((void*)0x200000UL, 0x200000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED_NOREPLACE, fd, 0));    SYSCHK(ftruncate(fd, 0x1000));    *((volatile char *)ptr) = 'a';    SYSCHK(ftruncate(fd, 0x200000));    SYSCHK(madvise(ptr, 0x200000, MADV_HUGEPAGE));    close(fd);    SYSCHK(unlink("/tmp/a"));    int child = SYSCHK(fork());    if (child == 0) {      for (int i=0; i<512; i++)        ((volatile char *)ptr)[0x1000*i] = 'a';      struct sched_param param = { .sched_priority = 0 };      SYSCHK(sched_setscheduler(0, SCHED_IDLE, &param));      /* race (outer side, will be preempted) */      SYSCHK(mremap((void*)0x200000, 0x200000, 0x200000, MREMAP_MAYMOVE|MREMAP_FIXED, (void*)0x40000000));      return 0;    }    for (int i=0; i<512; i++)      ((volatile char *)ptr)[0x1000*i] = 'a';    usleep(10);    /* race (inner side, will preempt after timer and voluntary resched) */    int madv_res = madvise(ptr, 0x200000, MADV_COLLAPSE);    if (madv_res == -1)      fprintf(stderr, "_");    int wstatus;    SYSCHK(waitpid(child, &wstatus, 0));    SYSCHK(munmap(ptr, 0x200000));    fprintf(stderr, ".");  }}Usage:user@vm:~/collapse-vs-mremap$ gcc -o collapse-vs-mremap-2-noassist collapse-vs-mremap-2-noassist.cuser@vm:~/collapse-vs-mremap$ ./collapse-vs-mremap-2-noassist.................................................................................................................................Result on Linux 6.11 in a QEMU VM, where a bunch of non-zero data is left over in the first 0x1000 bytes of physical memory (note the pmd:00000067):[  120.427189] BUG: Bad page map in process collapse-vs-mre  pte:f000ff53f000ff53 pmd:00000067[  120.428763] addr:0000000040000000 vm_flags:200000fb anon_vma:0000000000000000 mapping:ffff888007dd70f8 index:0[  120.430526] file:a fault:shmem_fault mmap:shmem_mmap read_folio:0x0[  120.431706] CPU: 0 UID: 1000 PID: 1219 Comm: collapse-vs-mre Tainted: G        W          6.11.0 #493[  120.433591] Tainted: [W]=WARN[  120.434201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[  120.435849] Call Trace:[  120.436375]  <TASK>[  120.436843]  dump_stack_lvl+0x53/0x70[  120.437570]  print_bad_pte+0x4e6/0x8e0[...][  120.447625]  vm_normal_page+0x1c8/0x260[...][  120.450162]  unmap_page_range+0x914/0x3d10[...][  120.456954]  unmap_vmas+0x1cc/0x390[...][  120.461123]  exit_mmap+0x160/0x6c0[...][  120.465181]  mmput+0xa0/0x3a0[  120.465793]  do_exit+0x7cd/0x27f0[...][  120.472198]  do_group_exit+0xac/0x230[  120.472916]  __x64_sys_exit_group+0x3e/0x50[  120.473722]  x64_sys_call+0x17f3/0x1800[  120.474469]  do_syscall_64+0x4b/0x110[  120.475189]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[...][  120.489560]  </TASK>On other machines where physical page 0 contains only zeroes, the error is different and the kernel complains about the mm's pagetable bytes counter being -4096 on process exit.ImpactReaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. (Some Android kernels set CONFIG_READ_ONLY_THP_FOR_FS=y, but those kernels are older than 6.6, so they're not affected.)As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, so on normal Linux systems you usually need the ability to create your own user+mount namespace (like my reproducer does).If you trigger this bug in two different processes, or in two different locations in the same process, you should get physical page 0 mapped in two different places. Assuming you know that a certain part of the page contains zeroes, you should be able to get page table entries installed through one of the mappings, and then access those page table entries through the other mapping of the same page table.At that point, I think several bad things can happen that could lead to privilege escalation, though I haven't tested that:    When a PTE is zapped through the page table's first mapping, TLB flushes will only be done for the first mapping, but there can be TLB entries created through the second mapping. So you could probably end up with stale TLB entries pointing to freed pages.    If VMA 1 and VMA 2 share a page table, and you install an anonymous page through VMA 1, and then use mremap() on VMA 2 to move that PTE to another location, and then munmap() VMA 1, you'll end up with an anonymous page that's only mapped into a VMA that is not associated with the page's anon_vma, which leads to kernel UAF. (See https://project-zero.issues.chromium.org/issues/42451486 and https://git.kernel.org/linus/2555283eb40d .)I think the exploitability of this bug depends on whether a struct page has been allocated for physical address 0 - but that seems to be the case at least on the two X86 systems I tested this on.Non-issue 2 (no impact): move_ptes vs MADVISE_COLLAPSEmove_ptes() locks the source and destination page tables as follows:        old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl);        if (!old_pte)                return -EAGAIN;        new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl);        if (!new_pte) {                pte_unmap_unlock(old_pte, old_ptl);                return -EAGAIN;        }        if (new_ptl != old_ptl)                spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);pte_offset_map_nolock() followed by manually taking the page table lock does not (unlike pte_offset_map_lock()) protect against concurrent removal of the page table via retract_page_tables(); and that can happen when need_rmap_locks is false. So I think that after this block, we can end up with new_pte pointing to a page table that has already been scheduled for RCU-delayed freeing. The good news is that (as far as I understand) this can only happen when all the PTEs in the source page table are pte_none(), so no PTEs will actually be written to the detached destination page table, so nothing bad happens.Non-issue 3 (probably no impact, untested): move_huge_pmd vs split_huge_page_to_list_to_orderThe classic way mremap() used to work is:    We make a new VMA.    We move page table entries into the new VMA with move_page_tables(), creating page tables if necessary. Only page table entries are moved; the old page tables stay where they are.    If a page table allocation fails due to OOM, or if the ->mremap handler returns an error, we use move_page_tables() to move the page table entries back to the old VMA; this is expected to always succeed, since the old page tables still exist, so page table allocation should not happen.As a comment in move_page_tables() explains:/* * On error, move entries back from new area to old, * which will succeed since page tables still there, * and then proceed to unmap new area instead of old. */However, that does not hold in the following scenario, assuming that the architecture does not define HAVE_MOVE_PMD (which permits mremap() to move entire page tables):    move_vma() calls move_page_tables()    move_page_tables() moves an anonymous huge PMD entry.    move_page_tables() tries to move more page table entries, but page table allocation fails, and the function returns early.    Another racing process causes the huge PMD entry to be split via split_huge_page_to_list_to_order() (turning the huge PMD entry into a PMD entry pointing to a page table whose PTEs point to all the subpages).    move_vma() calls move_page_tables() in the reverse direction to move PTEs back.    move_page_tables() unexpectedly needs to allocate a new page table to move the PTEs generated by the huge PMD split, which again fails. PTEs are left behind in the destination area.    do_vmi_munmap() removes the temporary destination VMA and removes the left-behind PTEs in the destination area.So in the end, an anonymous page has erroneously disappeared from the VMA, but I think that doesn't lead to any major consequences.FWIW, the architectures that define HAVE_ARCH_TRANSPARENT_HUGEPAGE without also defining HAVE_MOVE_PMD are: mips, loongarch, s390, sparc64, arc, arm.I think similar things can probably also happen on x86/arm64 if, when moving PTEs back with move_pgt_entry(HPAGE_PMD, ...), we race with a concurrent split_huge_page_to_list_to_order() such that move_huge_pmd() fails at the __pmd_trans_huge_lock() and we fall back to the move_ptes() path.CommentsAll commentsja...@google.com <ja...@google.com> #2Oct 15, 2024 11:05AMThe fix for the security bug is currently in the MM tree at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?id=9118e3ff1212add463770537519dce4aed51cf94 , on the mm-hotfixes-unstable branch.ja...@google.com <ja...@google.com> #3Oct 22, 2024 09:28AMMarked as fixed, reassigned to ja...@google.com.Fix landed as https://git.kernel.org/linus/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa ("mm/mremap: fix move_normal_pmd/retract_page_tables race").In stable releases:    6.6.58 (2024-10-22)    6.11.5 (2024-10-22)Related CVE Number: CVE-2024-50066.Credit: Jann Horn

Tag

#linux