ghsa-2f9p-c2rc-cff7
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
nfs/blocklayout: Don't attempt unregister for invalid block device
Since commit d869da91cccb ("nfs/blocklayout: Fix premature PR key unregistration") an unmount of a pNFS SCSI layout-enabled NFS may dereference a NULL block_device in:
bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver] bl_free_device+0x70/0x80 [blocklayoutdriver] bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver] nfs4_put_deviceid_node+0x60/0xc0 [nfsv4] nfs4_deviceid_purge_client+0x132/0x190 [nfsv4] unset_pnfs_layoutdriver+0x59/0x60 [nfsv4] nfs4_destroy_server+0x36/0x70 [nfsv4] nfs_free_server+0x23/0xe0 [nfs] deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x59/0x90 syscall_exit_to_user_mode+0x217/0x220 do_syscall_64+0x8e/0x160
This happens because even though we were able to create the nfs4_deviceid_node, the lookup for the device was unable to attach the block device to the pnfs_block_dev.
If we never found a block device to register, we can avoid this case with the PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the flag.
{
"affected": [],
"aliases": [
"CVE-2024-53167"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:23Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/blocklayout: Don\u0027t attempt unregister for invalid block device\n\nSince commit d869da91cccb (\"nfs/blocklayout: Fix premature PR key\nunregistration\") an unmount of a pNFS SCSI layout-enabled NFS may\ndereference a NULL block_device in:\n\n bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver]\n bl_free_device+0x70/0x80 [blocklayoutdriver]\n bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver]\n nfs4_put_deviceid_node+0x60/0xc0 [nfsv4]\n nfs4_deviceid_purge_client+0x132/0x190 [nfsv4]\n unset_pnfs_layoutdriver+0x59/0x60 [nfsv4]\n nfs4_destroy_server+0x36/0x70 [nfsv4]\n nfs_free_server+0x23/0xe0 [nfs]\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x59/0x90\n syscall_exit_to_user_mode+0x217/0x220\n do_syscall_64+0x8e/0x160\n\nThis happens because even though we were able to create the\nnfs4_deviceid_node, the lookup for the device was unable to attach the\nblock device to the pnfs_block_dev.\n\nIf we never found a block device to register, we can avoid this case with\nthe PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the\nflag.",
"id": "GHSA-2f9p-c2rc-cff7",
"modified": "2024-12-27T15:31:50Z",
"published": "2024-12-27T15:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53167"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3402704a424f34bbcca7f4a4503859357f422217"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a4ce14d9a6b868e0787e4582420b721c04ee41e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/faa4bacfaeed827a4ca8cb8529a3ce65a9e8ef46"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.