fkie_cve-2024-53216
Vulnerability from fkie_nvd
Published
2024-12-27 14:15
Modified
2025-02-11 16:15
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: release svc_expkey/svc_export with rcu_work\n\nThe last reference for `cache_head` can be reduced to zero in `c_show`\nand `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,\n`svc_export_put` and `expkey_put` will be invoked, leading to two\nissues:\n\n1. The `svc_export_put` will directly free ex_uuid. However,\n   `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can\n   trigger a use-after-free issue, shown below.\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]\n   Read of size 1 at addr ff11000010fdc120 by task cat/870\n\n   CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1\n   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n   1.16.1-2.fc37 04/01/2014\n   Call Trace:\n    \u003cTASK\u003e\n    dump_stack_lvl+0x53/0x70\n    print_address_description.constprop.0+0x2c/0x3a0\n    print_report+0xb9/0x280\n    kasan_report+0xae/0xe0\n    svc_export_show+0x362/0x430 [nfsd]\n    c_show+0x161/0x390 [sunrpc]\n    seq_read_iter+0x589/0x770\n    seq_read+0x1e5/0x270\n    proc_reg_read+0xe1/0x140\n    vfs_read+0x125/0x530\n    ksys_read+0xc1/0x160\n    do_syscall_64+0x5f/0x170\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n   Allocated by task 830:\n    kasan_save_stack+0x20/0x40\n    kasan_save_track+0x14/0x30\n    __kasan_kmalloc+0x8f/0xa0\n    __kmalloc_node_track_caller_noprof+0x1bc/0x400\n    kmemdup_noprof+0x22/0x50\n    svc_export_parse+0x8a9/0xb80 [nfsd]\n    cache_do_downcall+0x71/0xa0 [sunrpc]\n    cache_write_procfs+0x8e/0xd0 [sunrpc]\n    proc_reg_write+0xe1/0x140\n    vfs_write+0x1a5/0x6d0\n    ksys_write+0xc1/0x160\n    do_syscall_64+0x5f/0x170\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n   Freed by task 868:\n    kasan_save_stack+0x20/0x40\n    kasan_save_track+0x14/0x30\n    kasan_save_free_info+0x3b/0x60\n    __kasan_slab_free+0x37/0x50\n    kfree+0xf3/0x3e0\n    svc_export_put+0x87/0xb0 [nfsd]\n    cache_purge+0x17f/0x1f0 [sunrpc]\n    nfsd_destroy_serv+0x226/0x2d0 [nfsd]\n    nfsd_svc+0x125/0x1e0 [nfsd]\n    write_threads+0x16a/0x2a0 [nfsd]\n    nfsctl_transaction_write+0x74/0xa0 [nfsd]\n    vfs_write+0x1a5/0x6d0\n    ksys_write+0xc1/0x160\n    do_syscall_64+0x5f/0x170\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.\n   However, `svc_export_put`/`expkey_put` will call path_put, which\n   subsequently triggers a sleeping operation due to the following\n   `dput`.\n\n   =============================\n   WARNING: suspicious RCU usage\n   5.10.0-dirty #141 Not tainted\n   -----------------------------\n   ...\n   Call Trace:\n   dump_stack+0x9a/0xd0\n   ___might_sleep+0x231/0x240\n   dput+0x39/0x600\n   path_put+0x1b/0x30\n   svc_export_put+0x17/0x80\n   e_show+0x1c9/0x200\n   seq_read_iter+0x63f/0x7c0\n   seq_read+0x226/0x2d0\n   vfs_read+0x113/0x2c0\n   ksys_read+0xc9/0x170\n   do_syscall_64+0x33/0x40\n   entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFix these issues by using `rcu_work` to help release\n`svc_expkey`/`svc_export`. This approach allows for an asynchronous\ncontext to invoke `path_put` and also facilitates the freeing of\n`uuid/exp/key` after an RCU grace period."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: release svc_expkey/svc_export with rcu_work La \u00faltima referencia para `cache_head` se puede reducir a cero en `c_show` y `e_show` (usando `rcu_read_lock` y `rcu_read_unlock`). En consecuencia, se invocar\u00e1n `svc_export_put` y `expkey_put`, lo que provocar\u00e1 dos problemas: 1. `svc_export_put` liberar\u00e1 directamente ex_uuid. Sin embargo, `e_show`/`c_show` acceder\u00e1 a `ex_uuid` despu\u00e9s de `cache_put`, lo que puede desencadenar un problema de use-after-free, que se muestra a continuaci\u00f3n. ====================================================================== ERROR: KASAN: slab-use-after-free en svc_export_show+0x362/0x430 [nfsd] Lectura de tama\u00f1o 1 en la direcci\u00f3n ff11000010fdc120 por la tarea cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat No contaminado 6.12.0-rc3+ #1 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Seguimiento de llamadas:  dump_stack_lvl+0x53/0x70 imprimir_direcci\u00f3n_descripci\u00f3n.constprop.0+0x2c/0x3a0 imprimir_informe+0xb9/0x280 kasan_informe+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 hacer_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Asignado por la tarea 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Liberado por la tarea 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] 2. No podemos dormir mientras usamos `rcu_read_lock`/`rcu_read_unlock`. Sin embargo, `svc_export_put`/`expkey_put` llamar\u00e1 a path_put, que posteriormente activa una operaci\u00f3n de dormir debido al siguiente `dput`. ============================== ADVERTENCIA: uso sospechoso de RCU 5.10.0-dirty #141 No contaminado ----------------------------- ... Seguimiento de llamadas: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Solucione estos problemas utilizando `rcu_work` para ayudar a liberar `svc_expkey`/`svc_export`. Este enfoque permite que un contexto asincr\u00f3nico invoque `path_put` y tambi\u00e9n facilita la liberaci\u00f3n de `uuid/exp/key` despu\u00e9s de un per\u00edodo de gracia de RCU."
    }
  ],
  "id": "CVE-2024-53216",
  "lastModified": "2025-02-11T16:15:42.013",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-27T14:15:29.587",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.