CVE-2024-56779

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-56779
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur The action force umount(umount -f) will attempt to kill all rpc_task even umount operation may ultimately fail if some files remain open. Consequently, if an action attempts to open a file, it can potentially send two rpc_task to nfs server. NFS CLIENT thread1 thread2 open("file") ... nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 */ rpc_run_task rpc_wait_for_completion_task umount -f nfs_umount_begin rpc_killall_tasks rpc_signal_task rpc_task1 been wakeup and return -512 _nfs4_do_open // while loop ... nfs4_run_open_task /* rpc_task2 */ rpc_run_task rpc_wait_for_completion_task While processing an open request, nfsd will first attempt to find or allocate an nfs4_openowner. If it finds an nfs4_openowner that is not marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since two rpc_task can attempt to open the same file simultaneously from the client to server, and because two instances of nfsd can run concurrently, this situation can lead to lots of memory leak. Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be triggered. NFS SERVER nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // alloc oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // find oo1, without NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&oo->oo_perclient) // cannot find this oo // from client, LEAK!!! alloc_stateowner // alloc oo2 nfsd4_process_open2 init_open_stateid // associate oo1 // with stateid1, stateid1 LEAK!!! nfs4_get_vfs_file // alloc nfsd_file1 and nfsd_file_mark1 // all LEAK!!! nfsd4_process_open2 ... write_threads ... nfsd_destroy_serv nfsd_shutdown_net nfs4_state_shutdown_net nfs4_state_destroy_net destroy_client __destroy_client // won't find oo1!!! nfsd_shutdown_generic nfsd_file_cache_shutdown kmem_cache_destroy for nfsd_file_slab and nfsd_file_mark_slab // bark since nfsd_file1 // and nfsd_file_mark1 // still alive ======================================================================= BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() ----------------------------------------------------------------------- Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dum ---truncated---

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/0ab0a3ad24e970e894abcac58f85c332d1726749 Patch
https://git.kernel.org/stable/c/2d505a801e57428057563762f67a5a62009b2600 Patch
https://git.kernel.org/stable/c/37dfc81266d3a32294524bfadd3396614f8633ee Patch
https://git.kernel.org/stable/c/45abb68c941ebc9a35c6d3a7b08196712093c636 Patch
https://git.kernel.org/stable/c/6f73f920b7ad0084373e46121d7ac34117aed652 Patch
https://git.kernel.org/stable/c/98100e88dd8865999dc6379a3356cd799795fe7b Patch
https://git.kernel.org/stable/c/a85364f0d30dee01c5d5b4afa55a9629a8f36d8e Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

09 Jan 2025, 21:48

Type Values Removed Values Added
First Time Linux
Linux linux Kernel
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CWE CWE-401
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: se corrige la pérdida de nfs4_openowner cuando se producen nfsd4_open concurrentes. La acción force umount(umount -f) intentará eliminar todas las rpc_task, aunque la operación umount puede fallar si algunos archivos permanecen abiertos. En consecuencia, si una acción intenta abrir un archivo, puede enviar dos rpc_task al servidor nfs. CLIENTE NFS thread1 thread2 open("archivo") ... nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 */ rpc_run_task rpc_wait_for_completion_task umount -f nfs_umount_begin rpc_killall_tasks rpc_signal_task rpc_task1 se ha activado y ha devuelto -512 _nfs4_do_open // bucle while ... nfs4_run_open_task /* rpc_task2 */ rpc_run_task rpc_wait_for_completion_task Mientras se procesa una solicitud de apertura, nfsd primero intentará encontrar o asignar un nfs4_openowner. Si encuentra un nfs4_openowner que no esté marcado como NFS4_OO_CONFIRMED, este nfs4_openowner se liberará. Dado que dos rpc_task pueden intentar abrir el mismo archivo simultáneamente desde el cliente al servidor, y debido a que dos instancias de nfsd pueden ejecutarse simultáneamente, esta situación puede provocar una gran pérdida de memoria. Además, cuando hacemos eco de 0 en /proc/fs/nfsd/threads, se activará una advertencia. SERVIDOR NFS nfsd1 nfsd2 echo 0 &gt; /proc/fs/nfsd/threads nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // asignar oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // encontrar oo1, sin NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&amp;oo-&gt;oo_perclient) // no se puede encontrar este oo // del cliente, ¡FUGA! alloc_stateowner // asignar oo2 nfsd4_process_open2 init_open_stateid // asociar oo1 // con stateid1, stateid1 ¡FUGA! nfs4_get_vfs_file // asignar nfsd_file1 y nfsd_file_mark1 // ¡¡¡TODOS FUGAN!!! nfsd4_process_open2 ... subprocesos de escritura ... nfsd_destroy_serv nfsd_shutdown_net nfs4_state_shutdown_net nfs4_state_destroy_net destroy_client __destroy_client // ¡¡¡No encontrará oo1!!! nfsd_shutdown_generic nfsd_file_cache_shutdown kmem_cache_destroy para nfsd_file_slab y nfsd_file_mark_slab // sin cambios desde nfsd_file1 // y nfsd_file_mark1 // siguen activos ============================================================================ ERROR nfsd_file (no contaminado): objetos que permanecen en nfsd_file en __kmem_cache_shutdown() ----------------------------------------------------------------------- Slab 0xffd4000004438a80 objetos=34 usados=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh No contaminado 6.12.0-rc6+ #19 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 01/04/2014 Seguimiento de llamadas: dum ---truncado---
References () https://git.kernel.org/stable/c/0ab0a3ad24e970e894abcac58f85c332d1726749 - () https://git.kernel.org/stable/c/0ab0a3ad24e970e894abcac58f85c332d1726749 - Patch
References () https://git.kernel.org/stable/c/2d505a801e57428057563762f67a5a62009b2600 - () https://git.kernel.org/stable/c/2d505a801e57428057563762f67a5a62009b2600 - Patch
References () https://git.kernel.org/stable/c/37dfc81266d3a32294524bfadd3396614f8633ee - () https://git.kernel.org/stable/c/37dfc81266d3a32294524bfadd3396614f8633ee - Patch
References () https://git.kernel.org/stable/c/45abb68c941ebc9a35c6d3a7b08196712093c636 - () https://git.kernel.org/stable/c/45abb68c941ebc9a35c6d3a7b08196712093c636 - Patch
References () https://git.kernel.org/stable/c/6f73f920b7ad0084373e46121d7ac34117aed652 - () https://git.kernel.org/stable/c/6f73f920b7ad0084373e46121d7ac34117aed652 - Patch
References () https://git.kernel.org/stable/c/98100e88dd8865999dc6379a3356cd799795fe7b - () https://git.kernel.org/stable/c/98100e88dd8865999dc6379a3356cd799795fe7b - Patch
References () https://git.kernel.org/stable/c/a85364f0d30dee01c5d5b4afa55a9629a8f36d8e - () https://git.kernel.org/stable/c/a85364f0d30dee01c5d5b4afa55a9629a8f36d8e - Patch

08 Jan 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-08 18:15

Updated : 2025-01-09 21:48

NVD link : CVE-2024-56779

Mitre link : CVE-2024-56779

CVE.ORG link : CVE-2024-56779

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-401

Missing Release of Memory after Effective Lifetime