{"uuid": "549f6348-5bd9-4dbd-94b4-19c09c32162f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-50121", "type": "seen", "source": "https://t.me/cvedetector/9930", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-50121 - Linux NFSd Use-After-Free Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-50121 \nPublished : Nov. 5, 2024, 6:15 p.m. | 22\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net \n \nIn the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the \nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will \nrelease all resources related to the hashed `nfs4_client`. If the \n`nfsd_client_shrinker` is running concurrently, the `expire_client` \nfunction will first unhash this client and then destroy it. This can \nlead to the following warning. Additionally, numerous use-after-free \nerrors may occur as well. \n \nnfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads \n \nexpire_client nfsd_shutdown_net \n unhash_client ... \n nfs4_state_shutdown_net \n /* won't wait shrinker exit */ \n /* cancel_work(&nn->nfsd_shrinker_work) \n * nfsd_file for this /* won't destroy unhashed client1 */ \n * client1 still alive nfs4_state_destroy_net \n */ \n \n nfsd_file_cache_shutdown \n /* trigger warning */ \n kmem_cache_destroy(nfsd_file_slab) \n kmem_cache_destroy(nfsd_file_mark_slab) \n /* release nfsd_file and mark */ \n __destroy_client \n \n==================================================================== \nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on \n__kmem_cache_shutdown() \n-------------------------------------------------------------------- \nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 \n \n dump_stack_lvl+0x53/0x70 \n slab_err+0xb0/0xf0 \n __kmem_cache_shutdown+0x15c/0x310 \n kmem_cache_destroy+0x66/0x160 \n nfsd_file_cache_shutdown+0xac/0x210 [nfsd] \n nfsd_destroy_serv+0x251/0x2a0 [nfsd] \n nfsd_svc+0x125/0x1e0 [nfsd] \n write_threads+0x16a/0x2a0 [nfsd] \n nfsctl_transaction_write+0x74/0xa0 [nfsd] \n vfs_write+0x1a5/0x6d0 \n ksys_write+0xc1/0x160 \n do_syscall_64+0x5f/0x170 \n entry_SYSCALL_64_after_hwframe+0x76/0x7e \n \n==================================================================== \nBUG nfsd_file_mark (Tainted: G B W ): Objects remaining \nnfsd_file_mark on __kmem_cache_shutdown() \n-------------------------------------------------------------------- \n \n dump_stack_lvl+0x53/0x70 \n slab_err+0xb0/0xf0 \n __kmem_cache_shutdown+0x15c/0x310 \n kmem_cache_destroy+0x66/0x160 \n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] \n nfsd_destroy_serv+0x251/0x2a0 [nfsd] \n nfsd_svc+0x125/0x1e0 [nfsd] \n write_threads+0x16a/0x2a0 [nfsd] \n nfsctl_transaction_write+0x74/0xa0 [nfsd] \n vfs_write+0x1a5/0x6d0 \n ksys_write+0xc1/0x160 \n do_syscall_64+0x5f/0x170 \n entry_SYSCALL_64_after_hwframe+0x76/0x7e \n \nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous \nmode in nfs4_state_shutdown_net. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"05 Nov 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-05T19:44:35.000000Z"}