CVE-2024-47691

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

23 Oct 2024, 20:42

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE CWE-416
References () https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30 - () https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30 - Patch
References () https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95 - () https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95 - Patch
References () https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34 - () https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34 - Patch
References () https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812 - () https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812 - Patch
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: corrección para evitar el use after free en f2fs_stop_gc_thread() syzbot informa un error de f2fs como el siguiente: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [en línea] atomic_fetch_add_relaxed incluir/linux/atomic/atomic-instrumented.h:252 [en línea] __refcount_add incluir/linux/refcount.h:184 [en línea] __refcount_inc incluir/linux/refcount.h:241 [en línea] refcount_inc incluir/linux/refcount.h:258 [en línea] obtener_estructura_de_tareas incluir/linux/sched/task.h:118 [en línea] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [en línea] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [en línea] __do_sys_ioctl fs/ioctl.c:907 [en línea] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f La causa raíz está a continuación de la condición de ejecución, puede causar un problema de use after free en el puntero sbi->gc_th. - remontar - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; Llamaremos a f2fs_do_shutdown() en dos rutas: - para la ruta f2fs_ioc_shutdown(), debemos tomar el semáforo sb->s_umount para arreglarlo. - para la ruta f2fs_shutdown(), es seguro ya que el llamador ya ha tomado el semáforo sb->s_umount.
First Time Linux linux Kernel
Linux

21 Oct 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 12:15

Updated : 2024-10-23 20:42


NVD link : CVE-2024-47691

Mitre link : CVE-2024-47691

CVE.ORG link : CVE-2024-47691


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free