Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-47691

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/10/2024
Last modified:
23/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()<br /> <br /> syzbot reports a f2fs bug as below:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114<br /> print_report+0xe8/0x550 mm/kasan/report.c:491<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> kasan_check_range+0x282/0x290 mm/kasan/generic.c:189<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]<br /> __refcount_add include/linux/refcount.h:184 [inline]<br /> __refcount_inc include/linux/refcount.h:241 [inline]<br /> refcount_inc include/linux/refcount.h:258 [inline]<br /> get_task_struct include/linux/sched/task.h:118 [inline]<br /> kthread_stop+0xca/0x630 kernel/kthread.c:704<br /> f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210<br /> f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283<br /> f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]<br /> __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The root cause is below race condition, it may cause use-after-free<br /> issue in sbi-&gt;gc_th pointer.<br /> <br /> - remount<br /> - f2fs_remount<br /> - f2fs_stop_gc_thread<br /> - kfree(gc_th)<br /> - f2fs_ioc_shutdown<br /> - f2fs_do_shutdown<br /> - f2fs_stop_gc_thread<br /> - kthread_stop(gc_th-&gt;f2fs_gc_task)<br /> : sbi-&gt;gc_thread = NULL;<br /> <br /> We will call f2fs_do_shutdown() in two paths:<br /> - for f2fs_ioc_shutdown() path, we should grab sb-&gt;s_umount semaphore<br /> for fixing.<br /> - for f2fs_shutdown() path, it&amp;#39;s safe since caller has already grabbed<br /> sb-&gt;s_umount semaphore.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.16 (including) 6.6.54 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11 (including) 6.11.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools