ghsa-5vqw-wppf-x433
Vulnerability from github
Published
2024-08-07 18:30
Modified
2024-08-08 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: fix race between delayed_work() and ceph_monc_stop()

The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused.

To fix this:

  • clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop()
  • bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting)
  • call cancel_delayed_work_sync() after the session is closed
Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-42232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-07T16:15:46Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix race between delayed_work() and ceph_monc_stop()\n\nThe way the delayed work is handled in ceph_monc_stop() is prone to\nraces with mon_fault() and possibly also finish_hunting().  Both of\nthese can requeue the delayed work which wouldn\u0027t be canceled by any of\nthe following code in case that happens after cancel_delayed_work_sync()\nruns -- __close_session() doesn\u0027t mess with the delayed work in order\nto avoid interfering with the hunting interval logic.  This part was\nmissed in commit b5d91704f53e (\"libceph: behave in mon_fault() if\ncur_mon \u003c 0\") and use-after-free can still ensue on monc and objects\nthat hang off of it, with monc-\u003eauth and monc-\u003emonmap being\nparticularly susceptible to quickly being reused.\n\nTo fix this:\n\n- clear monc-\u003ecur_mon and monc-\u003ehunting as part of closing the session\n  in ceph_monc_stop()\n- bail from delayed_work() if monc-\u003ecur_mon is cleared, similar to how\n  it\u0027s done in mon_fault() and finish_hunting() (based on monc-\u003ehunting)\n- call cancel_delayed_work_sync() after the session is closed",
  "id": "GHSA-5vqw-wppf-x433",
  "modified": "2024-08-08T15:31:28Z",
  "published": "2024-08-07T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42232"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.