CVE-2024-47706
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/10/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
block, bfq: fix possible UAF for bfqq->bic with merge chain<br />
<br />
1) initial state, three tasks:<br />
<br />
Process 1 Process 2 Process 3<br />
(BIC1) (BIC2) (BIC3)<br />
| Λ | Λ | Λ<br />
| | | | | |<br />
V | V | V |<br />
bfqq1 bfqq2 bfqq3<br />
process ref: 1 1 1<br />
<br />
2) bfqq1 merged to bfqq2:<br />
<br />
Process 1 Process 2 Process 3<br />
(BIC1) (BIC2) (BIC3)<br />
| | | Λ<br />
\--------------\| | |<br />
V V |<br />
bfqq1--------->bfqq2 bfqq3<br />
process ref: 0 2 1<br />
<br />
3) bfqq2 merged to bfqq3:<br />
<br />
Process 1 Process 2 Process 3<br />
(BIC1) (BIC2) (BIC3)<br />
here -> Λ | |<br />
\--------------\ \-------------\|<br />
V V<br />
bfqq1--------->bfqq2---------->bfqq3<br />
process ref: 0 1 3<br />
<br />
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then<br />
get bfqq3 through merge chain, and finially handle IO by bfqq3.<br />
Howerver, current code will think bfqq2 is owned by BIC1, like initial<br />
state, and set bfqq2->bic to BIC1.<br />
<br />
bfq_insert_request<br />
-> by Process 1<br />
bfqq = bfq_init_rq(rq)<br />
bfqq = bfq_get_bfqq_handle_split<br />
bfqq = bic_to_bfqq<br />
-> get bfqq2 from BIC1<br />
bfqq->ref++<br />
rq->elv.priv[0] = bic<br />
rq->elv.priv[1] = bfqq<br />
if (bfqq_process_refs(bfqq) == 1)<br />
bfqq->bic = bic<br />
-> record BIC1 to bfqq2<br />
<br />
__bfq_insert_request<br />
new_bfqq = bfq_setup_cooperator<br />
-> get bfqq3 from bfqq2->new_bfqq<br />
bfqq_request_freed(bfqq)<br />
new_bfqq->ref++<br />
rq->elv.priv[1] = new_bfqq<br />
-> handle IO by bfqq3<br />
<br />
Fix the problem by checking bfqq is from merge chain fist. And this<br />
might fix a following problem reported by our syzkaller(unreproducible):<br />
<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]<br />
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]<br />
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889<br />
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595<br />
<br />
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br />
Workqueue: kblockd blk_mq_requeue_work<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106<br />
print_address_description mm/kasan/report.c:364 [inline]<br />
print_report+0x10d/0x610 mm/kasan/report.c:475<br />
kasan_report+0x8e/0xc0 mm/kasan/report.c:588<br />
bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]<br />
bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]<br />
bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889<br />
bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757<br />
bfq_init_rq block/bfq-iosched.c:6876 [inline]<br />
bfq_insert_request block/bfq-iosched.c:6254 [inline]<br />
bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304<br />
blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593<br />
blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502<br />
process_one_work kernel/workqueue.c:2627 [inline]<br />
process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700<br />
worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781<br />
kthread+0x33c/0x440 kernel/kthread.c:388<br />
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305<br />
<br />
<br />
Allocated by task 20776:<br />
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45<br />
kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br />
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328<br />
kasan_slab_alloc include/linux/kasan.h:188 [inline]<br />
slab_post_alloc_hook mm/slab.h:763 [inline]<br />
slab_alloc_node mm/slub.c:3458 [inline]<br />
kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503<br />
ioc_create_icq block/blk-ioc.c:370 [inline]<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.12 (including) | 5.10.227 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.54 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7
- https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048
- https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa
- https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5
- https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3
- https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587
- https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777
- https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0
- https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html