Bug 2320195 (CVE-2024-47732)

Summary: CVE-2024-47732 kernel: crypto: iaa - Fix potential use after free bug
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: btarraso, dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A possible flaw was found in the Linux 6.8 kernel version via the b190447e0fa3 commit. This flaw allows an attacker to trigger a pointer exception that could cause performance issues, mainly impacting availability. The code should not be reachable since it is not called anywhere, making this a weakness that could lead to a flaw if, at a certain point, the call to remove_device_compression_modes is introduced. However, if the address where the function is located is called by overriding the instruction pointer, which is unlikely to happen, this weakness could theoretically enable this as a flaw.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2320344    
Bug Blocks:    

Description OSIDB Bzimport 2024-10-21 13:01:15 UTC 
In the Linux kernel, the following vulnerability has been resolved:

crypto: iaa - Fix potential use after free bug

The free_device_compression_mode(iaa_device, device_mode) function frees
"device_mode" but it iss passed to iaa_compression_modes[i]->free() a few
lines later resulting in a use after free.

The good news is that, so far as I can tell, nothing implements the
->free() function and the use after free happens in dead code.  But, with
this fix, when something does implement it, we'll be ready.  :)
Comment 1 Michal Findra 2024-10-21 15:05:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47732-f8aa@gregkh/T
Comment 2 Borja Tarraso 2024-12-20 09:58:05 UTC 
This code is not reachable since it is not call anywhere as shown in the description of the issue from the kernel mailing list As well as the three commits where the issue has been fixed:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b5d534b473e2c8d3e4560be2dd6c12a8eb9d61e9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c66f0be993ba52410edab06124c54ecf143b05c1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209

For being in the safe side, in case we missed this function call at any given time from the moment which was introduced in 6.8 via b5d534b473e2 commit until has been fixed in 6.10.13, 6.11.2 and 6.12-rc1, in any possible forked code, or exploited via another buffer overflow, we would keep this as low probability flaw which most likely would never happen.