Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49003

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/10/2024
Last modified:
25/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvme: fix SRCU protection of nvme_ns_head list<br /> <br /> Walking the nvme_ns_head siblings list is protected by the head&amp;#39;s srcu<br /> in nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths().<br /> Removing namespaces from the list also fails to synchronize the srcu.<br /> Concurrent scan work can therefore cause use-after-frees.<br /> <br /> Hold the head&amp;#39;s srcu lock in nvme_mpath_revalidate_paths() and<br /> synchronize with the srcu, not the global RCU, in nvme_ns_remove().<br /> <br /> Observed the following panic when making NVMe/RDMA connections<br /> with native multipath on the Rocky Linux 8.6 kernel<br /> (it seems the upstream kernel has the same race condition).<br /> Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx;<br /> computing capacity != get_capacity(ns-&gt;disk).<br /> Address 0x50 is dereferenced because ns-&gt;disk is NULL.<br /> The NULL disk appears to be the result of concurrent scan work<br /> freeing the namespace (note the log line in the middle of the panic).<br /> <br /> [37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050<br /> [37314.206036] nvme0n3: detected capacity change from 0 to 11811160064<br /> [37314.299753] PGD 0 P4D 0<br /> [37314.299756] Oops: 0000 [#1] SMP PTI<br /> [37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1<br /> [37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018<br /> [37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core]<br /> [37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core]<br /> [37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3<br /> [37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202<br /> [37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000<br /> [37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800<br /> [37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff<br /> [37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000<br /> [37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000<br /> [37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000<br /> [37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0<br /> [37315.799267] Call Trace:<br /> [37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core]<br /> [37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core]<br /> [37315.961871] ? __blk_mq_free_request+0x6b/0x90<br /> [37316.015021] nvme_scan_work+0x151/0x240 [nvme_core]<br /> [37316.073371] process_one_work+0x1a7/0x360<br /> [37316.121318] ? create_worker+0x1a0/0x1a0<br /> [37316.168227] worker_thread+0x30/0x390<br /> [37316.212024] ? create_worker+0x1a0/0x1a0<br /> [37316.258939] kthread+0x10a/0x120<br /> [37316.297557] ? set_kthread_struct+0x50/0x50<br /> [37316.347590] ret_from_fork+0x35/0x40<br /> [37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.82 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.12 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools