cve-2024-53170
Vulnerability from cvelistv5
Published
2024-12-27 13:49
Modified
2024-12-27 13:49
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [in ---truncated---
Impacted products
Vendor Product Version
Linux Linux Version: 5.19
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-sysfs.c",
            "block/genhd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6",
              "status": "affected",
              "version": "6cfeadbff3f8905f2854735ebb88e581402c16c4",
              "versionType": "git"
            },
            {
              "lessThan": "61092568f2a9acb0e6e186f03f2e0649a4e86d09",
              "status": "affected",
              "version": "6cfeadbff3f8905f2854735ebb88e581402c16c4",
              "versionType": "git"
            },
            {
              "lessThan": "3802f73bd80766d70f319658f334754164075bc3",
              "status": "affected",
              "version": "6cfeadbff3f8905f2854735ebb88e581402c16c4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-sysfs.c",
            "block/genhd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags-\u003erqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-27T13:49:15.712Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6"
        },
        {
          "url": "https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09"
        },
        {
          "url": "https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3"
        }
      ],
      "title": "block: fix uaf for flush rq while iterating tags",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53170",
    "datePublished": "2024-12-27T13:49:15.712Z",
    "dateReserved": "2024-11-19T17:17:25.006Z",
    "dateUpdated": "2024-12-27T13:49:15.712Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53170\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-27T14:15:24.183\",\"lastModified\":\"2024-12-27T14:15:24.183\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock: fix uaf for flush rq while iterating tags\\n\\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\\nin del_gendisk by commit aec89dc5d421 (\\\"block: keep q_usage_counter in\\natomic mode after del_gendisk\\\"), hence for disk like scsi, following\\nblk_mq_destroy_queue() will not clear flush rq from tags-\u003erqs[] as well,\\ncause following uaf that is found by our syzkaller for v6.6:\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\\n\\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\\nWorkqueue: kblockd blk_mq_timeout_work\\nCall Trace:\\n\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\\nprint_report+0x3e/0x70 mm/kasan/report.c:475\\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\\nbt_iter block/blk-mq-tag.c:288 [inline]\\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\\nkthread+0x346/0x450 kernel/kthread.c:388\\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\\n\\nAllocated by task 942:\\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\\nkasan_kmalloc include/linux/kasan.h:198 [inline]\\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\\nkmalloc_node include/linux/slab.h:620 [inline]\\nkzalloc_node include/linux/slab.h:732 [inline]\\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\\ncall_write_iter include/linux/fs.h:2083 [inline]\\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\\nvfs_write+0x76c/0xb00 fs/read_write.c:586\\nksys_write+0x127/0x250 fs/read_write.c:639\\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\\n\\nFreed by task 244687:\\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\\n____kasan_slab_free mm/kasan/common.c:236 [inline]\\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\\nkasan_slab_free include/linux/kasan.h:164 [in\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.