Google Git
Sign in
cos / third_party / kernel / c7b26e26ce497e92cfde345f9c766ee45d0b8c0b
commitc7b26e26ce497e92cfde345f9c766ee45d0b8c0b[log] [tgz]
authorLiam R. Howlett <Liam.Howlett@oracle.com>Mon Apr 22 16:33:49 2024 -0400
committerShuo Yang <gshuoy@google.com>Wed Jul 17 17:54:35 2024 +0000
tree16be9bcf1b1054717c85835f5d9c2457335a2f35
parent4a27603cac196e5ebce8ccb2b4fcb7933edef875 [diff]
maple_tree: fix mas_empty_area_rev() null pointer dereference

commit 955a923d2809803980ff574270f81510112be9cf upstream.

Currently the code calls mas_start() followed by mas_data_end() if the
maple state is MA_START, but mas_start() may return with the maple state
node == NULL.  This will lead to a null pointer dereference when checking
information in the NULL node, which is done in mas_data_end().

Avoid setting the offset if there is no node by waiting until after the
maple state is checked for an empty or single entry state.

A user could trigger the events to cause a kernel oops by unmapping all
vmas to produce an empty maple tree, then mapping a vma that would cause
the scenario described above.

Link: https://lkml.kernel.org/r/20240422203349.2418465-1-Liam.Howlett@oracle.com
Fixes: 54a611b60590 ("Maple Tree: add new data structure")

BUG=b/346513745
TEST=presubmit
RELEASE_NOTE=Fixes CVE-2024-36891 in the Linux kernel

cos-patch: security-moderate
Change-Id: Ic303187139c3cee97fbcc01528852b75fd9ae633
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reported-by: Marius Fleischer <fleischermarius@gmail.com>
Closes: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2-R6w@mail.gmail.com/
Link: https://lore.kernel.org/lkml/CAJg=8jyuSxDL6XvqEXY_66M20psRK2J53oBTP+fjV5xpW2-R6w@mail.gmail.com/
Tested-by: Marius Fleischer <fleischermarius@gmail.com>
Tested-by: Sidhartha Kumar <sidhartha.kumar@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/76399
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Oleksandr Tymoshenko <ovt@google.com>
1 file changed
tree: 16be9bcf1b1054717c85835f5d9c2457335a2f35
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. rust/
  19. samples/
  20. scripts/
  21. security/
  22. sound/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. .rustfmt.toml
  33. COPYING
  34. CREDITS
  35. Kbuild
  36. Kconfig
  37. MAINTAINERS
  38. Makefile
  39. PRESUBMIT.cfg
  40. README