CVE-2024-40998

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix uninitialized ratelimit_state-&gt;lock access in __ext4_fill_super()<br /> <br /> In the following concurrency we will access the uninitialized rs-&gt;lock:<br /> <br /> ext4_fill_super<br /> ext4_register_sysfs<br /> // sysfs registered msg_ratelimit_interval_ms<br /> // Other processes modify rs-&gt;interval to<br /> // non-zero via msg_ratelimit_interval_ms<br /> ext4_orphan_cleanup<br /> ext4_msg(sb, KERN_INFO, "Errors on filesystem, "<br /> __ext4_msg<br /> ___ratelimit(&amp;(EXT4_SB(sb)-&gt;s_msg_ratelimit_state)<br /> if (!rs-&gt;interval) // do nothing if interval is 0<br /> return 1;<br /> raw_spin_trylock_irqsave(&amp;rs-&gt;lock, flags)<br /> raw_spin_trylock(lock)<br /> _raw_spin_trylock<br /> __raw_spin_trylock<br /> spin_acquire(&amp;lock-&gt;dep_map, 0, 1, _RET_IP_)<br /> lock_acquire<br /> __lock_acquire<br /> register_lock_class<br /> assign_lock_key<br /> dump_stack();<br /> ratelimit_state_init(&amp;sbi-&gt;s_msg_ratelimit_state, 5 * HZ, 10);<br /> raw_spin_lock_init(&amp;rs-&gt;lock);<br /> // init rs-&gt;lock here<br /> <br /> and get the following dump_stack:<br /> <br /> =========================================================<br /> INFO: trying to register non-static key.<br /> The code is fine but needs lockdep annotation, or maybe<br /> you didn&amp;#39;t initialize this object before use?<br /> turning off the locking correctness validator.<br /> CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504<br /> [...]<br /> Call Trace:<br /> dump_stack_lvl+0xc5/0x170<br /> dump_stack+0x18/0x30<br /> register_lock_class+0x740/0x7c0<br /> __lock_acquire+0x69/0x13a0<br /> lock_acquire+0x120/0x450<br /> _raw_spin_trylock+0x98/0xd0<br /> ___ratelimit+0xf6/0x220<br /> __ext4_msg+0x7f/0x160 [ext4]<br /> ext4_orphan_cleanup+0x665/0x740 [ext4]<br /> __ext4_fill_super+0x21ea/0x2b10 [ext4]<br /> ext4_fill_super+0x14d/0x360 [ext4]<br /> [...]<br /> =========================================================<br /> <br /> Normally interval is 0 until s_msg_ratelimit_state is initialized, so<br /> ___ratelimit() does nothing. But registering sysfs precedes initializing<br /> rs-&gt;lock, so it is possible to change rs-&gt;interval to a non-zero value<br /> via the msg_ratelimit_interval_ms interface of sysfs while rs-&gt;lock is<br /> uninitialized, and then a call to ext4_msg triggers the problem by<br /> accessing an uninitialized rs-&gt;lock. Therefore register sysfs after all<br /> initializations are complete to avoid such problems.