CVE-2024-56566
Vulnerability from cvelistv5
Published
2024-12-27 14:23
Modified
2024-12-27 14:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/slub: Avoid list corruption when removing a slab from the full list Boot with slub_debug=UFPZ. If allocated object failed in alloc_consistency_checks, all objects of the slab will be marked as used, and then the slab will be removed from the partial list. When an object belonging to the slab got freed later, the remove_full() function is called. Because the slab is neither on the partial list nor on the full list, it eventually lead to a list corruption (actually a list poison being detected). So we need to mark and isolate the slab page with metadata corruption, do not put it back in circulation. Because the debug caches avoid all the fastpaths, reusing the frozen bit to mark slab page with metadata corruption seems to be fine. [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) [ 4277.387023] ------------[ cut here ]------------ [ 4277.387880] kernel BUG at lib/list_debug.c:56! [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4277.410000] PKRU: 55555554 [ 4277.410645] Call Trace: [ 4277.411234] <TASK> [ 4277.411777] ? die+0x32/0x80 [ 4277.412439] ? do_trap+0xd6/0x100 [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.414158] ? do_error_trap+0x6a/0x90 [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.415915] ? exc_invalid_op+0x4c/0x60 [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.420410] free_to_partial_list+0x515/0x5e0 [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.430479] process_one_work+0x171/0x340 [ 4277.431227] worker_thread+0x277/0x390 [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 [ 4277.432752] kthread+0xf0/0x120 [ 4277.433382] ? __pfx_kthread+0x10/0x10 [ 4277.434134] ret_from_fork+0x2d/0x50 [ 4277.434837] ? __pfx_kthread+0x10/0x10 [ 4277.435566] ret_from_fork_asm+0x1b/0x30 [ 4277.436280] </TASK>
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/33a213c04faff6c3a7fe77e947db81bc7270fe32
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/943c0f601cd28c1073b92b5f944c6c6c2643e709
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dbc16915279a548a204154368da23d402c141c81
Impacted products
Vendor Product Version
Linux Linux Version: 2.6.22
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/slab.h",
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "33a213c04faff6c3a7fe77e947db81bc7270fe32",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            },
            {
              "lessThan": "943c0f601cd28c1073b92b5f944c6c6c2643e709",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            },
            {
              "lessThan": "dbc16915279a548a204154368da23d402c141c81",
              "status": "affected",
              "version": "643b113849d8faa68c9f01c3c9d929bfbffd50bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/slab.h",
            "mm/slub.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: Avoid list corruption when removing a slab from the full list\n\nBoot with slub_debug=UFPZ.\n\nIf allocated object failed in alloc_consistency_checks, all objects of\nthe slab will be marked as used, and then the slab will be removed from\nthe partial list.\n\nWhen an object belonging to the slab got freed later, the remove_full()\nfunction is called. Because the slab is neither on the partial list nor\non the full list, it eventually lead to a list corruption (actually a\nlist poison being detected).\n\nSo we need to mark and isolate the slab page with metadata corruption,\ndo not put it back in circulation.\n\nBecause the debug caches avoid all the fastpaths, reusing the frozen bit\nto mark slab page with metadata corruption seems to be fine.\n\n[ 4277.385669] list_del corruption, ffffea00044b3e50-\u003enext is LIST_POISON1 (dead000000000100)\n[ 4277.387023] ------------[ cut here ]------------\n[ 4277.387880] kernel BUG at lib/list_debug.c:56!\n[ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G           OE      6.6.1-1 #1\n[ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]\n[ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91\n[ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082\n[ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000\n[ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff\n[ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0\n[ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910\n[ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0\n[ 4277.404049] FS:  0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000\n[ 4277.405357] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0\n[ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4277.410000] PKRU: 55555554\n[ 4277.410645] Call Trace:\n[ 4277.411234]  \u003cTASK\u003e\n[ 4277.411777]  ? die+0x32/0x80\n[ 4277.412439]  ? do_trap+0xd6/0x100\n[ 4277.413150]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.414158]  ? do_error_trap+0x6a/0x90\n[ 4277.414948]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.415915]  ? exc_invalid_op+0x4c/0x60\n[ 4277.416710]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.417675]  ? asm_exc_invalid_op+0x16/0x20\n[ 4277.418482]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.419466]  ? __list_del_entry_valid_or_report+0x7b/0xc0\n[ 4277.420410]  free_to_partial_list+0x515/0x5e0\n[ 4277.421242]  ? xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.422298]  xfs_iext_remove+0x41a/0xa10 [xfs]\n[ 4277.423316]  ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.424383]  xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]\n[ 4277.425490]  __xfs_bunmapi+0x50d/0x840 [xfs]\n[ 4277.426445]  xfs_itruncate_extents_flags+0x13a/0x490 [xfs]\n[ 4277.427553]  xfs_inactive_truncate+0xa3/0x120 [xfs]\n[ 4277.428567]  xfs_inactive+0x22d/0x290 [xfs]\n[ 4277.429500]  xfs_inodegc_worker+0xb4/0x1a0 [xfs]\n[ 4277.430479]  process_one_work+0x171/0x340\n[ 4277.431227]  worker_thread+0x277/0x390\n[ 4277.431962]  ? __pfx_worker_thread+0x10/0x10\n[ 4277.432752]  kthread+0xf0/0x120\n[ 4277.433382]  ? __pfx_kthread+0x10/0x10\n[ 4277.434134]  ret_from_fork+0x2d/0x50\n[ 4277.434837]  ? __pfx_kthread+0x10/0x10\n[ 4277.435566]  ret_from_fork_asm+0x1b/0x30\n[ 4277.436280]  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-27T14:23:10.178Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/33a213c04faff6c3a7fe77e947db81bc7270fe32"
        },
        {
          "url": "https://git.kernel.org/stable/c/943c0f601cd28c1073b92b5f944c6c6c2643e709"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbc16915279a548a204154368da23d402c141c81"
        }
      ],
      "title": "mm/slub: Avoid list corruption when removing a slab from the full list",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56566",
    "datePublished": "2024-12-27T14:23:10.178Z",
    "dateReserved": "2024-12-27T14:03:05.996Z",
    "dateUpdated": "2024-12-27T14:23:10.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56566\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-27T15:15:15.517\",\"lastModified\":\"2024-12-27T15:15:15.517\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/slub: Avoid list corruption when removing a slab from the full list\\n\\nBoot with slub_debug=UFPZ.\\n\\nIf allocated object failed in alloc_consistency_checks, all objects of\\nthe slab will be marked as used, and then the slab will be removed from\\nthe partial list.\\n\\nWhen an object belonging to the slab got freed later, the remove_full()\\nfunction is called. Because the slab is neither on the partial list nor\\non the full list, it eventually lead to a list corruption (actually a\\nlist poison being detected).\\n\\nSo we need to mark and isolate the slab page with metadata corruption,\\ndo not put it back in circulation.\\n\\nBecause the debug caches avoid all the fastpaths, reusing the frozen bit\\nto mark slab page with metadata corruption seems to be fine.\\n\\n[ 4277.385669] list_del corruption, ffffea00044b3e50-\u003enext is LIST_POISON1 (dead000000000100)\\n[ 4277.387023] ------------[ cut here ]------------\\n[ 4277.387880] kernel BUG at lib/list_debug.c:56!\\n[ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI\\n[ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G           OE      6.6.1-1 #1\\n[ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]\\n[ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91\\n[ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082\\n[ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000\\n[ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff\\n[ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0\\n[ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910\\n[ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0\\n[ 4277.404049] FS:  0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000\\n[ 4277.405357] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0\\n[ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ 4277.410000] PKRU: 55555554\\n[ 4277.410645] Call Trace:\\n[ 4277.411234]  \u003cTASK\u003e\\n[ 4277.411777]  ? die+0x32/0x80\\n[ 4277.412439]  ? do_trap+0xd6/0x100\\n[ 4277.413150]  ? __list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.414158]  ? do_error_trap+0x6a/0x90\\n[ 4277.414948]  ? __list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.415915]  ? exc_invalid_op+0x4c/0x60\\n[ 4277.416710]  ? __list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.417675]  ? asm_exc_invalid_op+0x16/0x20\\n[ 4277.418482]  ? __list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.419466]  ? __list_del_entry_valid_or_report+0x7b/0xc0\\n[ 4277.420410]  free_to_partial_list+0x515/0x5e0\\n[ 4277.421242]  ? xfs_iext_remove+0x41a/0xa10 [xfs]\\n[ 4277.422298]  xfs_iext_remove+0x41a/0xa10 [xfs]\\n[ 4277.423316]  ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]\\n[ 4277.424383]  xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]\\n[ 4277.425490]  __xfs_bunmapi+0x50d/0x840 [xfs]\\n[ 4277.426445]  xfs_itruncate_extents_flags+0x13a/0x490 [xfs]\\n[ 4277.427553]  xfs_inactive_truncate+0xa3/0x120 [xfs]\\n[ 4277.428567]  xfs_inactive+0x22d/0x290 [xfs]\\n[ 4277.429500]  xfs_inodegc_worker+0xb4/0x1a0 [xfs]\\n[ 4277.430479]  process_one_work+0x171/0x340\\n[ 4277.431227]  worker_thread+0x277/0x390\\n[ 4277.431962]  ? __pfx_worker_thread+0x10/0x10\\n[ 4277.432752]  kthread+0xf0/0x120\\n[ 4277.433382]  ? __pfx_kthread+0x10/0x10\\n[ 4277.434134]  ret_from_fork+0x2d/0x50\\n[ 4277.434837]  ? __pfx_kthread+0x10/0x10\\n[ 4277.435566]  ret_from_fork_asm+0x1b/0x30\\n[ 4277.436280]  \u003c/TASK\u003e\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/33a213c04faff6c3a7fe77e947db81bc7270fe32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/943c0f601cd28c1073b92b5f944c6c6c2643e709\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dbc16915279a548a204154368da23d402c141c81\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.