Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-44941

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
26/08/2024
Last modified:
12/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to cover read extent cache access with lock<br /> <br /> syzbot reports a f2fs bug as below:<br /> <br /> BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46<br /> Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097<br /> <br /> CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46<br /> do_read_inode fs/f2fs/inode.c:509 [inline]<br /> f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560<br /> f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237<br /> generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413<br /> exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444<br /> exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584<br /> do_handle_to_path fs/fhandle.c:155 [inline]<br /> handle_to_path fs/fhandle.c:210 [inline]<br /> do_handle_open+0x495/0x650 fs/fhandle.c:226<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> We missed to cover sanity_check_extent_cache() w/ extent cache lock,<br /> so, below race case may happen, result in use after free issue.<br /> <br /> - f2fs_iget<br /> - do_read_inode<br /> - f2fs_init_read_extent_tree<br /> : add largest extent entry in to cache<br /> - shrink<br /> - f2fs_shrink_read_extent_tree<br /> - __shrink_extent_tree<br /> - __detach_extent_node<br /> : drop largest extent entry<br /> - sanity_check_extent_cache<br /> : access et-&gt;largest w/o lock<br /> <br /> let&amp;#39;s refactor sanity_check_extent_cache() to avoid extent cache access<br /> and call it before f2fs_init_read_extent_tree() to fix this issue.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.47 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.6 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools