CVE-2024-49903

{"id": "CVE-2024-49903", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2024-10-21T18:15:12.873", "references": [{"url": "https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3126ccde51f51b0648c8cdccaf916e8bd062e972", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4ac58f7734937f3249da734ede946dfb3b1af5e4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uaf in dbFreeBits\n\n[syzbot reported]\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\nRead of size 8 at addr ffff8880229254b0 by task syz-executor357/5216\n\nCPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __mutex_lock_common kernel/locking/mutex.c:587 [inline]\n __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\n dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390\n dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]\n dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409\n dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650\n jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100\n jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n\nFreed by task 5218:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2252 [inline]\n slab_free mm/slub.c:4473 [inline]\n kfree+0x149/0x360 mm/slub.c:4594\n dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278\n jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454\n reconfigure_super+0x445/0x880 fs/super.c:1083\n vfs_cmd_reconfigure fs/fsopen.c:263 [inline]\n vfs_fsconfig_locked fs/fsopen.c:292 [inline]\n __do_sys_fsconfig fs/fsopen.c:473 [inline]\n __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[Analysis]\nThere are two paths (dbUnmount and jfs_ioc_trim) that generate race\ncondition when accessing bmap, which leads to the occurrence of uaf.\n\nUse the lock s_umount to synchronize them, in order to avoid uaf caused\nby race condition."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: Correcci\u00f3n de uaf en dbFreeBits [informado por syzbot] ====================================================================== ERROR: KASAN: slab-use-after-free en __mutex_lock_common kernel/locking/mutex.c:587 [en l\u00ednea] ERROR: KASAN: slab-use-after-free en __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff8880229254b0 por la tarea syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 No contaminado 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/06/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:93 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [en l\u00ednea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [en l\u00ednea] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [en l\u00ednea] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:907 [en l\u00ednea] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Liberado por la tarea 5218: kasan_save_stack mm/kasan/common.c:47 [en l\u00ednea] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [en l\u00ednea] slab_free_hook mm/slub.c:2252 [en l\u00ednea] slab_free mm/slub.c:4473 [en l\u00ednea] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [en l\u00ednea] vfs_fsconfig_locked fs/fsopen.c:292 [en l\u00ednea] __do_sys_fsconfig fs/fsopen.c:473 [en l\u00ednea] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [An\u00e1lisis] Hay dos rutas (dbUnmount y jfs_ioc_trim) que generan una condici\u00f3n de ejecuci\u00f3n al acceder a bmap, lo que lleva a la ocurrencia de uaf. Utilice el bloqueo s_umount para sincronizarlas, a fin de evitar uaf causado por una condici\u00f3n de ejecuci\u00f3n."}], "lastModified": "2024-11-08T16:15:31.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB525A44-6338-4857-AD90-EA2860D1AD1F", "versionEndExcluding": "5.10.227"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D51C05D-455B-4D8D-89E7-A58E140B864C", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E90B9576-56C4-47BC-AAB0-C5B2D438F5D0", "versionEndExcluding": "6.6.55", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}