CVE-2024-44941

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to cover read extent cache access with lock syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 do_read_inode fs/f2fs/inode.c:509 [inline] f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584 do_handle_to_path fs/fhandle.c:155 [inline] handle_to_path fs/fhandle.c:210 [inline] do_handle_open+0x495/0x650 fs/fhandle.c:226 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f We missed to cover sanity_check_extent_cache() w/ extent cache lock, so, below race case may happen, result in use after free issue. - f2fs_iget - do_read_inode - f2fs_init_read_extent_tree : add largest extent entry in to cache - shrink - f2fs_shrink_read_extent_tree - __shrink_extent_tree - __detach_extent_node : drop largest extent entry - sanity_check_extent_cache : access et->largest w/o lock let's refactor sanity_check_extent_cache() to avoid extent cache access and call it before f2fs_init_read_extent_tree() to fix this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

12 Sep 2024, 20:57

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CWE CWE-416
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8 - () https://git.kernel.org/stable/c/263df78166d3a9609b97d28c34029bd01874cbb8 - Patch
References () https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d - () https://git.kernel.org/stable/c/323ef20b5558b9d9fd10c1224327af6f11a8177d - Patch
References () https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab - () https://git.kernel.org/stable/c/d7409b05a64f212735f0d33f5f1602051a886eab - Patch
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: corrección para cubrir el acceso a la caché de extensión de lectura con bloqueo syzbot informa un error de f2fs como se muestra a continuación: ERROR: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/ f2fs/extent_cache.c:46 Lectura de tamaño 4 en la dirección ffff8880739ab220 por tarea syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 No contaminado 6.9.0-rc6-syzkaller #0 Nombre de hardware: Google Google Compute Engine /Google Compute Engine, BIOS Google 27/03/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c: 377 [en línea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 do_read_inode fs/f2fs /inode.c:509 [en línea] f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413 exportar fs_decode_fh_raw +0x152/0x5f0 fs/exportfs/expfs.c:444 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584 do_handle_to_path fs/fhandle.c:155 [en línea] handle_to_path fs/fhandle.c:210 [en línea] do_handle_open +0x495/0x650 fs/fhandle.c:226 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f Nos perdimos cubra sanity_check_extent_cache() con bloqueo de caché de extensión, por lo que, puede ocurrir el siguiente caso de ejecución, lo que resultará en un problema de use after free. - f2fs_iget - do_read_inode - f2fs_init_read_extent_tree: agrega la entrada de mayor extensión al caché - encogimiento - f2fs_shrink_read_extent_tree - __shrink_extent_tree - __detach_extent_node: elimina la entrada de mayor extensión - sanity_check_extent_cache: accede a et-&gt;largest sin bloqueo, refactoricemos sanity_check_extent_cache() para evitar el caché de extensión acceso y llámelo antes de f2fs_init_read_extent_tree() para solucionar este problema.
First Time Linux linux Kernel
Linux

26 Aug 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-26 12:15

Updated : 2024-09-12 20:57


NVD link : CVE-2024-44941

Mitre link : CVE-2024-44941

CVE.ORG link : CVE-2024-44941


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free