CVE-2024-36478

In the Linux kernel, the following vulnerability has been resolved: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47	Patch
https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2	Patch
https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47	Patch
https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:22

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47 - Patch~~	() https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47 - Patch
References	~~() https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2 - Patch~~	() https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2 - Patch

10 Oct 2024, 12:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9 -

09 Sep 2024, 13:30

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: null_blk: corrige la dereferencia null-ptr al configurar 'power' y 'submit_queues'. Escribir 'power' y 'submit_queues' simultáneamente provocará un pánico en el kernel: Script de prueba: modprobe null_blk nr_devices= 0 mkdir -p /sys/kernel/config/nullb/nullb0 mientras sea verdadero; hacer eco 1 > enviar_queues; eco 4 > enviar_colas; hecho y mientras sea cierto; hacer eco 1 > potencia; eco 0 > potencia; hecho Resultado de la prueba: ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000148 Ups: 0000 [#1] RIP SMP PREEMPLEADO: 0010:__lock_acquire+0x41d/0x28f0 Seguimiento de llamada: lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive _eliminación+ 0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] /0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 Esto se debe a que del_gendisk() puede concurrente con blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // todavía está configurado mientras se elimina gendisk return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix este problema reutilizando el mutex global para proteger nullb_device_power_store() y nullb_update_nr_hw_queues() de configfs.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel::::::::
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47 -~~	() https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47 - Patch
References	~~() https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2 -~~	() https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2 - Patch

21 Jun 2024, 11:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-21 11:15

Updated : 2024-11-21 09:22

NVD link : CVE-2024-36478

Mitre link : CVE-2024-36478

CVE.ORG link : CVE-2024-36478

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10