Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-53170

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/12/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix uaf for flush rq while iterating tags<br /> <br /> blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by<br /> checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared<br /> in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in<br /> atomic mode after del_gendisk"), hence for disk like scsi, following<br /> blk_mq_destroy_queue() will not clear flush rq from tags-&gt;rqs[] as well,<br /> cause following uaf that is found by our syzkaller for v6.6:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261<br /> Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909<br /> <br /> CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32<br /> Workqueue: kblockd blk_mq_timeout_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106<br /> print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364<br /> print_report+0x3e/0x70 mm/kasan/report.c:475<br /> kasan_report+0xb8/0xf0 mm/kasan/report.c:588<br /> blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261<br /> bt_iter block/blk-mq-tag.c:288 [inline]<br /> __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]<br /> sbitmap_for_each_set include/linux/sbitmap.h:316 [inline]<br /> bt_for_each+0x455/0x790 block/blk-mq-tag.c:325<br /> blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534<br /> blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673<br /> process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631<br /> process_scheduled_works kernel/workqueue.c:2704 [inline]<br /> worker_thread+0x804/0xe40 kernel/workqueue.c:2785<br /> kthread+0x346/0x450 kernel/kthread.c:388<br /> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293<br /> <br /> Allocated by task 942:<br /> kasan_save_stack+0x22/0x50 mm/kasan/common.c:45<br /> kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br /> ____kasan_kmalloc mm/kasan/common.c:374 [inline]<br /> __kasan_kmalloc mm/kasan/common.c:383 [inline]<br /> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380<br /> kasan_kmalloc include/linux/kasan.h:198 [inline]<br /> __do_kmalloc_node mm/slab_common.c:1007 [inline]<br /> __kmalloc_node+0x69/0x170 mm/slab_common.c:1014<br /> kmalloc_node include/linux/slab.h:620 [inline]<br /> kzalloc_node include/linux/slab.h:732 [inline]<br /> blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499<br /> blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788<br /> blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261<br /> blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294<br /> blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350<br /> blk_mq_init_queue_data block/blk-mq.c:4166 [inline]<br /> blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176<br /> scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335<br /> scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189<br /> __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727<br /> scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]<br /> scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791<br /> scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844<br /> scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151<br /> store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191<br /> dev_attr_store+0x5c/0x90 drivers/base/core.c:2388<br /> sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136<br /> kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338<br /> call_write_iter include/linux/fs.h:2083 [inline]<br /> new_sync_write+0x1b4/0x2d0 fs/read_write.c:493<br /> vfs_write+0x76c/0xb00 fs/read_write.c:586<br /> ksys_write+0x127/0x250 fs/read_write.c:639<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81<br /> entry_SYSCALL_64_after_hwframe+0x78/0xe2<br /> <br /> Freed by task 244687:<br /> kasan_save_stack+0x22/0x50 mm/kasan/common.c:45<br /> kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br /> kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522<br /> ____kasan_slab_free mm/kasan/common.c:236 [inline]<br /> __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244<br /> kasan_slab_free include/linux/kasan.h:164 [in<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 6.11.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools