1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1103277: linux: CVE-2024-38541 for 6.1 branch

    From Hideki Yamane@21:1/5 to All on Wed Apr 16 00:50:01 2025
    XPost: linux.debian.kernel

    This is a multi-part MIME message sent by reportbug.


    Source: linux
    Version: 6.1.133-1
    Severity: normal
    X-Debbugs-Cc: henrich@debian.org

    Dear Maintainers,

    I've investigated CVE-2024-38541 since I'm running Debian 12 instances
    on AWS and Amazon Inspector alerts it is critical vuln.

    It seems that it is easily applied to 6.1 branch with some modification
    as attached patch. I've already sent it to original author and reviewer
    but not get any reply, so I'm maybe wrong...

    Anyway, could you check it, please?


    Thank you.

    From 58c18ebe72c2ff8bce5fbbc8d0a55dde1f264ac4 Mon Sep 17 00:00:00 2001
    From: Hideki Yamane <h-yamane@sios.com>
    Date: Fri, 28 Mar 2025 17:24:08 +0900
    Subject: [PATCH] of: device: add buffer overflow check in
    of_device_get_modalias() (CVE-2024-38541)

    [ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ]

    In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter
    (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).

    Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh@kernel.org>

    drivers/of/module.c was splited from drivers/of/device.c, so same fix can
    be applied to device.c.
    ---
    drivers/of/device.c | 7 ++++---
    1 file changed, 4 insertions(+), 3 deletions(-)

    diff --git a/drivers/of/device.c b/drivers/of/device.c
    index ce225d2590b5..91d92bfe5735 100644
    --- a/drivers/of/device.c
    +++ b/drivers/of/device.c
    @@ -264,14 +264,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len
    csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T',
    of_node_get_device_type(dev->of_node));
    tsize = csize;
    + if (csize >= len)
    + csize = len > 0 ? len - 1 : 0;
    len -= csize;
    - if (str)
    - str += csize;
    + str += csize;

    of_property_for_each_string(dev->of_node, "compatible", p, compat) {
    csize = strlen(compat) + 1;
    tsize += csize;
    - if (csize > len)
    + if (csize >= len)
    continue;

    csize = snprintf(str, len, "C%s", compat);
    --
    2.47.2

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Hideki Yamane on Wed Apr 16 06:00:01 2025
    XPost: linux.debian.kernel

    # wontfix unless fixed usptream in 6.1.y series
    Control: tags -1 + wontfix

    Hi Hideki

    On Wed, Apr 16, 2025 at 07:38:54AM +0900, Hideki Yamane wrote:
    Source: linux
    Version: 6.1.133-1
    Severity: normal
    X-Debbugs-Cc: henrich@debian.org

    Dear Maintainers,

    I've investigated CVE-2024-38541 since I'm running Debian 12 instances
    on AWS and Amazon Inspector alerts it is critical vuln.

    It seems that it is easily applied to 6.1 branch with some modification
    as attached patch. I've already sent it to original author and reviewer
    but not get any reply, so I'm maybe wrong...

    Can you elaborate why you think the AWS and Amazon Inspector are
    correct and it is a critical vunrablity?

    Context: https://www.debian.org/security/faq#cve-severity-assessment

    The last time we got the very same question on the security team for CVE-2024-38541:

    | On Mon, Mar 31, 2025 at 01:13:59PM -0700, [...] wrote:
    | > Hi,
    | >
    | > I am wondering if the following CVE's fixed in trixie/sid will be
    | > backported to bullseye and bookworm?
    | >
    | > https://security-tracker.debian.org/tracker/CVE-2024-38541
    | > https://security-tracker.debian.org/tracker/CVE-2024-38564
    | > https://security-tracker.debian.org/tracker/CVE-2024-50061
    |
    | CVE-2024-50061 is already fixed in the latest Bookworm point release.
    |
    | For the other two, if you want to see them fixed, you can work
    | with the maintainers of the 6.1.x LTS kernel tree to accept a
    | backport:
    | https://github.com/torvalds/linux/blob/master/Documentation/process/stable-kernel-rules.rst
    |
    | The subsequent Debian update will then pick up the fix since we follow
    | the 6.1.x series.

    The reason you do not ge a reply might be related to a change in
    upstream linux done around 18th October 2024.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?=@21:1/5 to All on Fri Apr 25 16:00:01 2025
    XPost: linux.debian.kernel

    From: Sergey Shtylyov <s.shtylyov@omp.ru>

    [ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ]

    In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter
    (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char).

    Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Uwe Kleine-König <ukleinek@debian.org>
    ---
    Hello,

    commit cf7385cb26ac4f0ee6c7385960525ad534323252 was already backported to stable/linux-6.6.y as commit 0b0d5701a8bf02f8fee037e81aacf6746558bfd6.
    In 6.1 the function to fix is in a different file and differently named
    since v6.1 lacks commits 5c3d15e127eb ("of: Update
    of_device_get_modalias()") and bd7a7ed774af ("of: Move of_modalias() to module.c")

    This is the respective backport to 6.1. Looking into that commit was
    triggered by https://bugs.debian.org/1103277 and my backport is
    identical to this bug's reporter's. Thanks for considering it for the
    next 6.1.y update.

    Best regards
    Uwe

    drivers/of/device.c | 7 ++++---
    1 file changed, 4 insertions(+), 3 deletions(-)

    diff --git a/drivers/of/device.c b/drivers/of/device.c
    index ce225d2590b5..91d92bfe5735 100644
    --- a/drivers/of/device.c
    +++ b/drivers/of/device.c
    @@ -264,14 +264,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len
    csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node,