fkie_cve-2024-53182
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2025-03-24 17:26
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: Revert "block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()" This reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de. The bic is associated with sync_bfqq, and bfq_release_process_ref cannot be put into bfq_put_cooperator. kasan report: [ 400.347277] ================================================================== [ 400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230 [ 400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800 [ 400.347430] [ 400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32 [ 400.347450] Tainted: [E]=UNSIGNED_MODULE [ 400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 400.347460] Call Trace: [ 400.347464] <TASK> [ 400.347468] dump_stack_lvl+0x5d/0x80 [ 400.347490] print_report+0x174/0x505 [ 400.347521] kasan_report+0xe0/0x160 [ 400.347541] bic_set_bfqq+0x200/0x230 [ 400.347549] bfq_bic_update_cgroup+0x419/0x740 [ 400.347560] bfq_bio_merge+0x133/0x320 [ 400.347584] blk_mq_submit_bio+0x1761/0x1e20 [ 400.347625] __submit_bio+0x28b/0x7b0 [ 400.347664] submit_bio_noacct_nocheck+0x6b2/0xd30 [ 400.347690] iomap_readahead+0x50c/0x680 [ 400.347731] read_pages+0x17f/0x9c0 [ 400.347785] page_cache_ra_unbounded+0x366/0x4a0 [ 400.347795] filemap_fault+0x83d/0x2340 [ 400.347819] __xfs_filemap_fault+0x11a/0x7d0 [xfs] [ 400.349256] __do_fault+0xf1/0x610 [ 400.349270] do_fault+0x977/0x11a0 [ 400.349281] __handle_mm_fault+0x5d1/0x850 [ 400.349314] handle_mm_fault+0x1f8/0x560 [ 400.349324] do_user_addr_fault+0x324/0x970 [ 400.349337] exc_page_fault+0x76/0xf0 [ 400.349350] asm_exc_page_fault+0x26/0x30 [ 400.349360] RIP: 0033:0x55a480d77375 [ 400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 <83> 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80 [ 400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216 [ 400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000 [ 400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000 [ 400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80 [ 400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008 [ 400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000 [ 400.349430] </TASK> [ 400.349452] [ 400.349454] Allocated by task 5800: [ 400.349459] kasan_save_stack+0x30/0x50 [ 400.349469] kasan_save_track+0x14/0x30 [ 400.349475] __kasan_slab_alloc+0x89/0x90 [ 400.349482] kmem_cache_alloc_node_noprof+0xdc/0x2a0 [ 400.349492] bfq_get_queue+0x1ef/0x1100 [ 400.349502] __bfq_get_bfqq_handle_split+0x11a/0x510 [ 400.349511] bfq_insert_requests+0xf55/0x9030 [ 400.349519] blk_mq_flush_plug_list+0x446/0x14c0 [ 400.349527] __blk_flush_plug+0x27c/0x4e0 [ 400.349534] blk_finish_plug+0x52/0xa0 [ 400.349540] _xfs_buf_ioapply+0x739/0xc30 [xfs] [ 400.350246] __xfs_buf_submit+0x1b2/0x640 [xfs] [ 400.350967] xfs_buf_read_map+0x306/0xa20 [xfs] [ 400.351672] xfs_trans_read_buf_map+0x285/0x7d0 [xfs] [ 400.352386] xfs_imap_to_bp+0x107/0x270 [xfs] [ 400.353077] xfs_iget+0x70d/0x1eb0 [xfs] [ 400.353786] xfs_lookup+0x2ca/0x3a0 [xfs] [ 400.354506] xfs_vn_lookup+0x14e/0x1a0 [xfs] [ 400.355197] __lookup_slow+0x19c/0x340 [ 400.355204] lookup_one_unlocked+0xfc/0x120 [ 400.355211] ovl_lookup_single+0x1b3/0xcf0 [overlay] [ 400.355255] ovl_lookup_layer+0x316/0x490 [overlay] [ 400.355295] ovl_lookup+0x844/0x1fd0 [overlay] [ 400.355351] lookup_one_qstr_excl+0xef/0x150 [ 400.355357] do_unlinkat+0x22a/0x620 [ 400.355366] __x64_sys_unlinkat+0x109/0x1e0 [ 400.355375] do_syscall_64+0x82/0x160 [ 400.355384] entry_SYSCALL_64_after_hwframe+0x76/0x7 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7baf94232651f39f7108c23bc9548bff89bdc77bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cf5a60d971c7b59efb89927919404be655a9e35aPatch
Impacted products
Vendor Product Version
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776",
              "versionEndExcluding": "6.12.2",
              "versionStartIncluding": "6.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()\"\n\nThis reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de.\n\nThe bic is associated with sync_bfqq, and bfq_release_process_ref cannot\nbe put into bfq_put_cooperator.\n\nkasan report:\n[  400.347277] ==================================================================\n[  400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230\n[  400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800\n[  400.347430]\n[  400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32\n[  400.347450] Tainted: [E]=UNSIGNED_MODULE\n[  400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022\n[  400.347460] Call Trace:\n[  400.347464]  \u003cTASK\u003e\n[  400.347468]  dump_stack_lvl+0x5d/0x80\n[  400.347490]  print_report+0x174/0x505\n[  400.347521]  kasan_report+0xe0/0x160\n[  400.347541]  bic_set_bfqq+0x200/0x230\n[  400.347549]  bfq_bic_update_cgroup+0x419/0x740\n[  400.347560]  bfq_bio_merge+0x133/0x320\n[  400.347584]  blk_mq_submit_bio+0x1761/0x1e20\n[  400.347625]  __submit_bio+0x28b/0x7b0\n[  400.347664]  submit_bio_noacct_nocheck+0x6b2/0xd30\n[  400.347690]  iomap_readahead+0x50c/0x680\n[  400.347731]  read_pages+0x17f/0x9c0\n[  400.347785]  page_cache_ra_unbounded+0x366/0x4a0\n[  400.347795]  filemap_fault+0x83d/0x2340\n[  400.347819]  __xfs_filemap_fault+0x11a/0x7d0 [xfs]\n[  400.349256]  __do_fault+0xf1/0x610\n[  400.349270]  do_fault+0x977/0x11a0\n[  400.349281]  __handle_mm_fault+0x5d1/0x850\n[  400.349314]  handle_mm_fault+0x1f8/0x560\n[  400.349324]  do_user_addr_fault+0x324/0x970\n[  400.349337]  exc_page_fault+0x76/0xf0\n[  400.349350]  asm_exc_page_fault+0x26/0x30\n[  400.349360] RIP: 0033:0x55a480d77375\n[  400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 \u003c83\u003e 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80\n[  400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216\n[  400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000\n[  400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000\n[  400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80\n[  400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008\n[  400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000\n[  400.349430]  \u003c/TASK\u003e\n[  400.349452]\n[  400.349454] Allocated by task 5800:\n[  400.349459]  kasan_save_stack+0x30/0x50\n[  400.349469]  kasan_save_track+0x14/0x30\n[  400.349475]  __kasan_slab_alloc+0x89/0x90\n[  400.349482]  kmem_cache_alloc_node_noprof+0xdc/0x2a0\n[  400.349492]  bfq_get_queue+0x1ef/0x1100\n[  400.349502]  __bfq_get_bfqq_handle_split+0x11a/0x510\n[  400.349511]  bfq_insert_requests+0xf55/0x9030\n[  400.349519]  blk_mq_flush_plug_list+0x446/0x14c0\n[  400.349527]  __blk_flush_plug+0x27c/0x4e0\n[  400.349534]  blk_finish_plug+0x52/0xa0\n[  400.349540]  _xfs_buf_ioapply+0x739/0xc30 [xfs]\n[  400.350246]  __xfs_buf_submit+0x1b2/0x640 [xfs]\n[  400.350967]  xfs_buf_read_map+0x306/0xa20 [xfs]\n[  400.351672]  xfs_trans_read_buf_map+0x285/0x7d0 [xfs]\n[  400.352386]  xfs_imap_to_bp+0x107/0x270 [xfs]\n[  400.353077]  xfs_iget+0x70d/0x1eb0 [xfs]\n[  400.353786]  xfs_lookup+0x2ca/0x3a0 [xfs]\n[  400.354506]  xfs_vn_lookup+0x14e/0x1a0 [xfs]\n[  400.355197]  __lookup_slow+0x19c/0x340\n[  400.355204]  lookup_one_unlocked+0xfc/0x120\n[  400.355211]  ovl_lookup_single+0x1b3/0xcf0 [overlay]\n[  400.355255]  ovl_lookup_layer+0x316/0x490 [overlay]\n[  400.355295]  ovl_lookup+0x844/0x1fd0 [overlay]\n[  400.355351]  lookup_one_qstr_excl+0xef/0x150\n[  400.355357]  do_unlinkat+0x22a/0x620\n[  400.355366]  __x64_sys_unlinkat+0x109/0x1e0\n[  400.355375]  do_syscall_64+0x82/0x160\n[  400.355384]  entry_SYSCALL_64_after_hwframe+0x76/0x7\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el n\u00facleo de Linux, se ha resuelto la siguiente vulnerabilidad: Revertir \"block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()\" Esto revierte el commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de. El bic est\u00e1 asociado con sync_bfqq y bfq_release_process_ref no se puede colocar en bfq_put_cooperator. informe de kasan: [ 400.347277] ======================================================================= [ 400.347287] ERROR: KASAN: slab-use-after-free en bic_set_bfqq+0x200/0x230 [ 400.347420] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff88881cab7d60 por la tarea dockerd/5800 [ 400.347430] [ 400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: cargado Tainted: GE 6.12.0 #32 [ 400.347450] Contaminado: [E]=UNSIGNED_MODULE [ 400.347454] Nombre del hardware: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 28/07/2022 [ 400.347460] Seguimiento de llamadas: [ 400.347464]  [ 400.347468] dump_stack_lvl+0x5d/0x80 [ 400.347490] print_report+0x174/0x505 [ 400.347521] kasan_report+0xe0/0x160 [ 400.347541] bic_set_bfqq+0x200/0x230 [ 400.347549] bfq_bic_update_cgroup+0x419/0x740 [ 400.347560] bfq_bio_merge+0x133/0x320 [ 400.347584] blk_mq_submit_bio+0x1761/0x1e20 [ 400.347625] __submit_bio+0x28b/0x7b0 [ 400.347664] enviar_bio_noacct_nocheck+0x6b2/0xd30 [ 400.347690] iomap_readahead+0x50c/0x680 [ 400.347731] p\u00e1ginas_de_lectura+0x17f/0x9c0 [ 400.347785] cach\u00e9_de_p\u00e1gina_ra_sin_l\u00edmites+0x366/0x4a0 [ 400.347795] error_mapa_archivo+0x83d/0x2340 [ 400.347819] error_mapa_archivo_xfs+0x11a/0x7d0 [xfs] [ 400.349256] error_do+0xf1/0x610 [ 400.349270] error_do+0x977/0x11a0 [ 400.349281] error_mm_gestionar+0x5d1/0x850 [ 400.349314] handle_mm_fault+0x1f8/0x560 [ 400.349324] do_user_addr_fault+0x324/0x970 [ 400.349337] exc_page_fault+0x76/0xf0 [ 400.349350] asm_exc_page_fault+0x26/0x30 [ 400.349360] RIP: 0033:0x55a480d77375 [ 400.349384] C\u00f3digo: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 \u0026lt;83\u0026gt; 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80 [ 400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216 [ 400.349401] RAX: 00007f18c37fd9d0 RBX: 000000000000000 RCX: 0000000000000000 [ 400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000 [ 400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80 [ 400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008 [ 400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000 [ 400.349430]  [ 400.349452] [ 400.349454] Asignado por la tarea 5800: [ 400.349459] kasan_save_stack+0x30/0x50 [ 400.349469] kasan_save_track+0x14/0x30 [ 400.349475] __kasan_slab_alloc+0x89/0x90 [ 400.349482] kmem_cache_alloc_node_noprof+0xdc/0x2a0 [ 400.349492] bfq_get_queue+0x1ef/0x1100 [ 400.349502] __bfq_get_bfqq_handle_split+0x11a/0x510 [ 400.349511] bfq_insert_requests+0xf55/0x9030 [ 400.349519] blk_mq_flush_plug_list+0x446/0x14c0 [ 400.349527] __blk_flush_plug+0x27c/0x4e0 [ 400.349534] blk_finish_plug+0x52/0xa0 [ 400.349540] _xfs_buf_ioapply+0x739/0xc30 [xfs] [ 400.350246] __xfs_buf_submit+0x1b2/0x640 [xfs] [ 400.350967] xfs_buf_read_map+0x306/0xa20 [xfs] [ 400.351672] xfs_trans_read_buf_map+0x285/0x7d0 [xfs] [ 400.352386] xfs_imap_to_bp+0x107/0x270 [xfs] [ 400.353077] xfs_iget+0x70d/0x1eb0 [xfs] [ 400.353786] xfs_lookup+0x2ca/0x3a0 [xfs] [ 400.354506] xfs_vn_lookup+0x14e/0x1a0 [xfs] [ 400.355197] __lookup_slow+0x19c/0x340 [ 400.355204] lookup_one_unlocked+0xfc/0x120 [ 400.355211] ovl_lookup_single+0x1b3/0xcf0 [superposici\u00f3n] [ 400.355255] ovl_lookup_layer+0x316/0x490 [superposici\u00f3n] [ 400.355295] ovl_lookup+0x844/0x1fd0 [superposici\u00f3n] [ 400.355351] lookup_one_qstr_excl+0xef/0x150 [ 400.355357] do_unlinkat+0x22a/0x620 [ 400.355366] __x64_sys_unlinkat+0x109/0x1e0 [ 400.355375] do_syscall_64+0x82/0x160 [ 400.355384] entrada_SYSCALL_64_after_hwframe+0x76/0x7 ---truncado---"
    }
  ],
  "id": "CVE-2024-53182",
  "lastModified": "2025-03-24T17:26:10.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-27T14:15:25.643",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7baf94232651f39f7108c23bc9548bff89bdc77b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/cf5a60d971c7b59efb89927919404be655a9e35a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.