Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-35979.json
blob: 1f8bc8a2489d4b2caf5be08876975afb4e61dff7 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nraid1: fix use-after-free for original bio in raid1_write_request()\n\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\n\nraid1_write_request()\n r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\n for (i = 0; i < disks; i++) -> for each rdev in conf\n // first rdev is normal\n r1_bio->bios[0] = bio; -> set to original bio\n // second rdev is blocked\n if (test_bit(Blocked, &rdev->flags))\n break\n\n if (blocked_rdev)\n free_r1bio()\n put_all_bios()\n bio_put(r1_bio->bios[0]) -> original bio is freed\n\nTest scripts:\n\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n -iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\n\nTest result:\n\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\n\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\n kmem_cache_alloc+0x324/0x480\n mempool_alloc_slab+0x24/0x50\n mempool_alloc+0x6e/0x220\n bio_alloc_bioset+0x1af/0x4d0\n blkdev_direct_IO+0x164/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n io_submit_one+0x5ca/0xb70\n __do_sys_io_submit+0x86/0x270\n __x64_sys_io_submit+0x22/0x30\n do_syscall_64+0xb1/0x210\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\n kmem_cache_free+0x28c/0x550\n mempool_free_slab+0x1f/0x30\n mempool_free+0x40/0x100\n bio_free+0x59/0x80\n bio_put+0xf0/0x220\n free_r1bio+0x74/0xb0\n raid1_make_request+0xadf/0x1150\n md_handle_request+0xc7/0x3b0\n md_submit_bio+0x76/0x130\n __submit_bio+0xd8/0x1d0\n submit_bio_noacct_nocheck+0x1eb/0x5c0\n submit_bio_noacct+0x169/0xd40\n submit_bio+0xee/0x1d0\n blkdev_direct_IO+0x322/0x8a0\n blkdev_write_iter+0x309/0x440\n aio_write+0x139/0x2f0\n\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/md/raid1.c"
],
"versions": [
{
"version": "992db13a4aee766c8bfbf046ad15c2db5fa7cab8",
"lessThan": "3f28d49a328fe20926995d5fbdc92da665596268",
"status": "affected",
"versionType": "git"
},
{
"version": "992db13a4aee766c8bfbf046ad15c2db5fa7cab8",
"lessThan": "f423f41b7679c09abb26d2bd54be5cbef23c9446",
"status": "affected",
"versionType": "git"
},
{
"version": "992db13a4aee766c8bfbf046ad15c2db5fa7cab8",
"lessThan": "fcf3f7e2fc8a53a6140beee46ec782a4c88e4744",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/md/raid1.c"
],
"versions": [
{
"version": "6.6",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.6",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.28",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.8.7",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6",
"versionEndExcluding": "6.6.28"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6",
"versionEndExcluding": "6.8.7"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6",
"versionEndExcluding": "6.9"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/3f28d49a328fe20926995d5fbdc92da665596268"
},
{
"url": "https://git.kernel.org/stable/c/f423f41b7679c09abb26d2bd54be5cbef23c9446"
},
{
"url": "https://git.kernel.org/stable/c/fcf3f7e2fc8a53a6140beee46ec782a4c88e4744"
}
],
"title": "raid1: fix use-after-free for original bio in raid1_write_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-35979",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}