CVE-2024-53216
Vulnerability from cvelistv5
Published
2024-12-27 13:50
Modified
2024-12-27 13:50
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: release svc_expkey/svc_export with rcu_work
The last reference for `cache_head` can be reduced to zero in `c_show`
and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,
`svc_export_put` and `expkey_put` will be invoked, leading to two
issues:
1. The `svc_export_put` will directly free ex_uuid. However,
`e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can
trigger a use-after-free issue, shown below.
==================================================================
BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]
Read of size 1 at addr ff11000010fdc120 by task cat/870
CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_address_description.constprop.0+0x2c/0x3a0
print_report+0xb9/0x280
kasan_report+0xae/0xe0
svc_export_show+0x362/0x430 [nfsd]
c_show+0x161/0x390 [sunrpc]
seq_read_iter+0x589/0x770
seq_read+0x1e5/0x270
proc_reg_read+0xe1/0x140
vfs_read+0x125/0x530
ksys_read+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 830:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
__kmalloc_node_track_caller_noprof+0x1bc/0x400
kmemdup_noprof+0x22/0x50
svc_export_parse+0x8a9/0xb80 [nfsd]
cache_do_downcall+0x71/0xa0 [sunrpc]
cache_write_procfs+0x8e/0xd0 [sunrpc]
proc_reg_write+0xe1/0x140
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 868:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kfree+0xf3/0x3e0
svc_export_put+0x87/0xb0 [nfsd]
cache_purge+0x17f/0x1f0 [sunrpc]
nfsd_destroy_serv+0x226/0x2d0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.
However, `svc_export_put`/`expkey_put` will call path_put, which
subsequently triggers a sleeping operation due to the following
`dput`.
=============================
WARNING: suspicious RCU usage
5.10.0-dirty #141 Not tainted
-----------------------------
...
Call Trace:
dump_stack+0x9a/0xd0
___might_sleep+0x231/0x240
dput+0x39/0x600
path_put+0x1b/0x30
svc_export_put+0x17/0x80
e_show+0x1c9/0x200
seq_read_iter+0x63f/0x7c0
seq_read+0x226/0x2d0
vfs_read+0x113/0x2c0
ksys_read+0xc9/0x170
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Fix these issues by using `rcu_work` to help release
`svc_expkey`/`svc_export`. This approach allows for an asynchronous
context to invoke `path_put` and also facilitates the freeing of
`uuid/exp/key` after an RCU grace period.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/export.c",
"fs/nfsd/export.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd8524148dd8c123334b066faa90590ba2ef8e6f",
"status": "affected",
"version": "9ceddd9da13434a5906255c0fc528c385aded283",
"versionType": "git"
},
{
"lessThan": "2e4854599200f4d021df8ae17e69221d7c149f3e",
"status": "affected",
"version": "9ceddd9da13434a5906255c0fc528c385aded283",
"versionType": "git"
},
{
"lessThan": "ad4363a24a5746b257c0beb5d8cc68f9b62c173f",
"status": "affected",
"version": "9ceddd9da13434a5906255c0fc528c385aded283",
"versionType": "git"
},
{
"lessThan": "f8c989a0c89a75d30f899a7cabdc14d72522bb8d",
"status": "affected",
"version": "9ceddd9da13434a5906255c0fc528c385aded283",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/export.c",
"fs/nfsd/export.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: release svc_expkey/svc_export with rcu_work\n\nThe last reference for `cache_head` can be reduced to zero in `c_show`\nand `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,\n`svc_export_put` and `expkey_put` will be invoked, leading to two\nissues:\n\n1. The `svc_export_put` will directly free ex_uuid. However,\n `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can\n trigger a use-after-free issue, shown below.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]\n Read of size 1 at addr ff11000010fdc120 by task cat/870\n\n CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_address_description.constprop.0+0x2c/0x3a0\n print_report+0xb9/0x280\n kasan_report+0xae/0xe0\n svc_export_show+0x362/0x430 [nfsd]\n c_show+0x161/0x390 [sunrpc]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n proc_reg_read+0xe1/0x140\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Allocated by task 830:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc_node_track_caller_noprof+0x1bc/0x400\n kmemdup_noprof+0x22/0x50\n svc_export_parse+0x8a9/0xb80 [nfsd]\n cache_do_downcall+0x71/0xa0 [sunrpc]\n cache_write_procfs+0x8e/0xd0 [sunrpc]\n proc_reg_write+0xe1/0x140\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 868:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kfree+0xf3/0x3e0\n svc_export_put+0x87/0xb0 [nfsd]\n cache_purge+0x17f/0x1f0 [sunrpc]\n nfsd_destroy_serv+0x226/0x2d0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.\n However, `svc_export_put`/`expkey_put` will call path_put, which\n subsequently triggers a sleeping operation due to the following\n `dput`.\n\n =============================\n WARNING: suspicious RCU usage\n 5.10.0-dirty #141 Not tainted\n -----------------------------\n ...\n Call Trace:\n dump_stack+0x9a/0xd0\n ___might_sleep+0x231/0x240\n dput+0x39/0x600\n path_put+0x1b/0x30\n svc_export_put+0x17/0x80\n e_show+0x1c9/0x200\n seq_read_iter+0x63f/0x7c0\n seq_read+0x226/0x2d0\n vfs_read+0x113/0x2c0\n ksys_read+0xc9/0x170\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFix these issues by using `rcu_work` to help release\n`svc_expkey`/`svc_export`. This approach allows for an asynchronous\ncontext to invoke `path_put` and also facilitates the freeing of\n`uuid/exp/key` after an RCU grace period."
}
],
"providerMetadata": {
"dateUpdated": "2024-12-27T13:50:01.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f"
},
{
"url": "https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e"
},
{
"url": "https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f"
},
{
"url": "https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d"
}
],
"title": "nfsd: release svc_expkey/svc_export with rcu_work",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53216",
"datePublished": "2024-12-27T13:50:01.869Z",
"dateReserved": "2024-11-19T17:17:25.024Z",
"dateUpdated": "2024-12-27T13:50:01.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-53216\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-27T14:15:29.587\",\"lastModified\":\"2024-12-27T14:15:29.587\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfsd: release svc_expkey/svc_export with rcu_work\\n\\nThe last reference for `cache_head` can be reduced to zero in `c_show`\\nand `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,\\n`svc_export_put` and `expkey_put` will be invoked, leading to two\\nissues:\\n\\n1. The `svc_export_put` will directly free ex_uuid. However,\\n `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can\\n trigger a use-after-free issue, shown below.\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]\\n Read of size 1 at addr ff11000010fdc120 by task cat/870\\n\\n CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n 1.16.1-2.fc37 04/01/2014\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x53/0x70\\n print_address_description.constprop.0+0x2c/0x3a0\\n print_report+0xb9/0x280\\n kasan_report+0xae/0xe0\\n svc_export_show+0x362/0x430 [nfsd]\\n c_show+0x161/0x390 [sunrpc]\\n seq_read_iter+0x589/0x770\\n seq_read+0x1e5/0x270\\n proc_reg_read+0xe1/0x140\\n vfs_read+0x125/0x530\\n ksys_read+0xc1/0x160\\n do_syscall_64+0x5f/0x170\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\n Allocated by task 830:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x14/0x30\\n __kasan_kmalloc+0x8f/0xa0\\n __kmalloc_node_track_caller_noprof+0x1bc/0x400\\n kmemdup_noprof+0x22/0x50\\n svc_export_parse+0x8a9/0xb80 [nfsd]\\n cache_do_downcall+0x71/0xa0 [sunrpc]\\n cache_write_procfs+0x8e/0xd0 [sunrpc]\\n proc_reg_write+0xe1/0x140\\n vfs_write+0x1a5/0x6d0\\n ksys_write+0xc1/0x160\\n do_syscall_64+0x5f/0x170\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\n Freed by task 868:\\n kasan_save_stack+0x20/0x40\\n kasan_save_track+0x14/0x30\\n kasan_save_free_info+0x3b/0x60\\n __kasan_slab_free+0x37/0x50\\n kfree+0xf3/0x3e0\\n svc_export_put+0x87/0xb0 [nfsd]\\n cache_purge+0x17f/0x1f0 [sunrpc]\\n nfsd_destroy_serv+0x226/0x2d0 [nfsd]\\n nfsd_svc+0x125/0x1e0 [nfsd]\\n write_threads+0x16a/0x2a0 [nfsd]\\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\\n vfs_write+0x1a5/0x6d0\\n ksys_write+0xc1/0x160\\n do_syscall_64+0x5f/0x170\\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\n2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.\\n However, `svc_export_put`/`expkey_put` will call path_put, which\\n subsequently triggers a sleeping operation due to the following\\n `dput`.\\n\\n =============================\\n WARNING: suspicious RCU usage\\n 5.10.0-dirty #141 Not tainted\\n -----------------------------\\n ...\\n Call Trace:\\n dump_stack+0x9a/0xd0\\n ___might_sleep+0x231/0x240\\n dput+0x39/0x600\\n path_put+0x1b/0x30\\n svc_export_put+0x17/0x80\\n e_show+0x1c9/0x200\\n seq_read_iter+0x63f/0x7c0\\n seq_read+0x226/0x2d0\\n vfs_read+0x113/0x2c0\\n ksys_read+0xc9/0x170\\n do_syscall_64+0x33/0x40\\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\\n\\nFix these issues by using `rcu_work` to help release\\n`svc_expkey`/`svc_export`. This approach allows for an asynchronous\\ncontext to invoke `path_put` and also facilitates the freeing of\\n`uuid/exp/key` after an RCU grace period.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.