Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-27031

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2024
Last modified:
23/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt<br /> <br /> The loop inside nfs_netfs_issue_read() currently does not disable<br /> interrupts while iterating through pages in the xarray to submit<br /> for NFS read. This is not safe though since after taking xa_lock,<br /> another page in the mapping could be processed for writeback inside<br /> an interrupt, and deadlock can occur. The fix is simple and clean<br /> if we use xa_for_each_range(), which handles the iteration with RCU<br /> while reducing code complexity.<br /> <br /> The problem is easily reproduced with the following test:<br /> mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs<br /> dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1<br /> echo 3 &gt; /proc/sys/vm/drop_caches<br /> dd if=/mnt/nfs/file1.bin of=/dev/null<br /> umount /mnt/nfs<br /> <br /> On the console with a lockdep-enabled kernel a message similar to<br /> the following will be seen:<br /> <br /> ================================<br /> WARNING: inconsistent lock state<br /> 6.7.0-lockdbg+ #10 Not tainted<br /> --------------------------------<br /> inconsistent {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W} usage.<br /> test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:<br /> ffff888127baa598 (&amp;xa-&gt;xa_lock#4){+.?.}-{3:3}, at:<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> {IN-SOFTIRQ-W} state was registered at:<br /> lock_acquire+0x144/0x380<br /> _raw_spin_lock_irqsave+0x4e/0xa0<br /> __folio_end_writeback+0x17e/0x5c0<br /> folio_end_writeback+0x93/0x1b0<br /> iomap_finish_ioend+0xeb/0x6a0<br /> blk_update_request+0x204/0x7f0<br /> blk_mq_end_request+0x30/0x1c0<br /> blk_complete_reqs+0x7e/0xa0<br /> __do_softirq+0x113/0x544<br /> __irq_exit_rcu+0xfe/0x120<br /> irq_exit_rcu+0xe/0x20<br /> sysvec_call_function_single+0x6f/0x90<br /> asm_sysvec_call_function_single+0x1a/0x20<br /> pv_native_safe_halt+0xf/0x20<br /> default_idle+0x9/0x20<br /> default_idle_call+0x67/0xa0<br /> do_idle+0x2b5/0x300<br /> cpu_startup_entry+0x34/0x40<br /> start_secondary+0x19d/0x1c0<br /> secondary_startup_64_no_verify+0x18f/0x19b<br /> irq event stamp: 176891<br /> hardirqs last enabled at (176891): []<br /> _raw_spin_unlock_irqrestore+0x44/0x60<br /> hardirqs last disabled at (176890): []<br /> _raw_spin_lock_irqsave+0x79/0xa0<br /> softirqs last enabled at (176646): []<br /> __irq_exit_rcu+0xfe/0x120<br /> softirqs last disabled at (176633): []<br /> __irq_exit_rcu+0xfe/0x120<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> lock(&amp;xa-&gt;xa_lock#4);<br /> <br /> *** DEADLOCK ***<br /> <br /> 2 locks held by test5/1708:<br /> #0: ffff888127baa498 (&amp;sb-&gt;s_type-&gt;i_mutex_key#22){++++}-{4:4}, at:<br /> nfs_start_io_read+0x28/0x90 [nfs]<br /> #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:<br /> page_cache_ra_unbounded+0xa4/0x280<br /> <br /> stack backtrace:<br /> CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39<br /> 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x5b/0x90<br /> mark_lock+0xb3f/0xd20<br /> __lock_acquire+0x77b/0x3360<br /> _raw_spin_lock+0x34/0x80<br /> nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]<br /> netfs_begin_read+0x77f/0x980 [netfs]<br /> nfs_netfs_readahead+0x45/0x60 [nfs]<br /> nfs_readahead+0x323/0x5a0 [nfs]<br /> read_pages+0xf3/0x5c0<br /> page_cache_ra_unbounded+0x1c8/0x280<br /> filemap_get_pages+0x38c/0xae0<br /> filemap_read+0x206/0x5e0<br /> nfs_file_read+0xb7/0x140 [nfs]<br /> vfs_read+0x2a9/0x460<br /> ksys_read+0xb7/0x140

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4 (including) 6.6.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools