Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-26757

Severity CVSS v4.0:
Pending analysis
Type:
CWE-404 Improper Resource Shutdown or Release
Publication date:
03/04/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: Don&amp;#39;t ignore read-only array in md_check_recovery()<br /> <br /> Usually if the array is not read-write, md_check_recovery() won&amp;#39;t<br /> register new sync_thread in the first place. And if the array is<br /> read-write and sync_thread is registered, md_set_readonly() will<br /> unregister sync_thread before setting the array read-only. md/raid<br /> follow this behavior hence there is no problem.<br /> <br /> After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following<br /> hang can be triggered by test shell/integrity-caching.sh:<br /> <br /> 1) array is read-only. dm-raid update super block:<br /> rs_update_sbs<br /> ro = mddev-&gt;ro<br /> mddev-&gt;ro = 0<br /> -&gt; set array read-write<br /> md_update_sb<br /> <br /> 2) register new sync thread concurrently.<br /> <br /> 3) dm-raid set array back to read-only:<br /> rs_update_sbs<br /> mddev-&gt;ro = ro<br /> <br /> 4) stop the array:<br /> raid_dtr<br /> md_stop<br /> stop_sync_thread<br /> set_bit(MD_RECOVERY_INTR, &amp;mddev-&gt;recovery);<br /> md_wakeup_thread_directly(mddev-&gt;sync_thread);<br /> wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &amp;mddev-&gt;recovery))<br /> <br /> 5) sync thread done:<br /> md_do_sync<br /> set_bit(MD_RECOVERY_DONE, &amp;mddev-&gt;recovery);<br /> md_wakeup_thread(mddev-&gt;thread);<br /> <br /> 6) daemon thread can&amp;#39;t unregister sync thread:<br /> md_check_recovery<br /> if (!md_is_rdwr(mddev) &amp;&amp;<br /> !test_bit(MD_RECOVERY_NEEDED, &amp;mddev-&gt;recovery))<br /> return;<br /> -&gt; -&gt; MD_RECOVERY_RUNNING can&amp;#39;t be cleared, hence step 4 hang;<br /> <br /> The root cause is that dm-raid manipulate &amp;#39;mddev-&gt;ro&amp;#39; by itself,<br /> however, dm-raid really should stop sync thread before setting the<br /> array read-only. Unfortunately, I need to read more code before I<br /> can refacter the handler of &amp;#39;mddev-&gt;ro&amp;#39; in dm-raid, hence let&amp;#39;s fix<br /> the problem the easy way for now to prevent dm-raid regression.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.8 (including) 6.7.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools