Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-53160

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
24/12/2024
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu<br /> <br /> KCSAN reports a data race when access the krcp-&gt;monitor_work.timer.expires<br /> variable in the schedule_delayed_monitor_work() function:<br /> <br /> <br /> BUG: KCSAN: data-race in __mod_timer / kvfree_call_rcu<br /> <br /> read to 0xffff888237d1cce8 of 8 bytes by task 10149 on cpu 1:<br /> schedule_delayed_monitor_work kernel/rcu/tree.c:3520 [inline]<br /> kvfree_call_rcu+0x3b8/0x510 kernel/rcu/tree.c:3839<br /> trie_update_elem+0x47c/0x620 kernel/bpf/lpm_trie.c:441<br /> bpf_map_update_value+0x324/0x350 kernel/bpf/syscall.c:203<br /> generic_map_update_batch+0x401/0x520 kernel/bpf/syscall.c:1849<br /> bpf_map_do_batch+0x28c/0x3f0 kernel/bpf/syscall.c:5143<br /> __sys_bpf+0x2e5/0x7a0<br /> __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]<br /> __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5739<br /> x64_sys_call+0x2625/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:322<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> write to 0xffff888237d1cce8 of 8 bytes by task 56 on cpu 0:<br /> __mod_timer+0x578/0x7f0 kernel/time/timer.c:1173<br /> add_timer_global+0x51/0x70 kernel/time/timer.c:1330<br /> __queue_delayed_work+0x127/0x1a0 kernel/workqueue.c:2523<br /> queue_delayed_work_on+0xdf/0x190 kernel/workqueue.c:2552<br /> queue_delayed_work include/linux/workqueue.h:677 [inline]<br /> schedule_delayed_monitor_work kernel/rcu/tree.c:3525 [inline]<br /> kfree_rcu_monitor+0x5e8/0x660 kernel/rcu/tree.c:3643<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3310<br /> worker_thread+0x51d/0x6f0 kernel/workqueue.c:3391<br /> kthread+0x1d1/0x210 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 0 UID: 0 PID: 56 Comm: kworker/u8:4 Not tainted 6.12.0-rc2-syzkaller-00050-g5b7c893ed5ed #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> Workqueue: events_unbound kfree_rcu_monitor<br /> <br /> <br /> kfree_rcu_monitor() rearms the work if a "krcp" has to be still<br /> offloaded and this is done without holding krcp-&gt;lock, whereas<br /> the kvfree_call_rcu() holds it.<br /> <br /> Fix it by acquiring the "krcp-&gt;lock" for kfree_rcu_monitor() so<br /> both functions do not race anymore.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.3 (including) 6.6.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools