Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-47696

Description

In the Linux kernel, the following vulnerability has been resolved:RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependencyIn the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related todestroying CM IDs"), the function flush_workqueue is invoked to flush thework queue iwcm_wq.But at that time, the work queue iwcm_wq was created via the functionalloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.Because the current process is trying to flush the whole iwcm_wq, ifiwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the currentprocess is not reclaiming memory or running on a workqueue which doesn'thave the flag WQ_MEM_RECLAIM as that can break forward-progress guaranteeleading to a deadlock.The call trace is as below:[ 125.350876][ T1430] Call Trace:[ 125.356281][ T1430] [ 125.361285][ T1430] ? __warn (kernel/panic.c:693)[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)[ 125.531837][ T1430] kthread (kernel/kthread.c:389)[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)[ 125.566487][ T1430] [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---

POC

Reference

No PoCs from references.

Github

- https://github.com/w4zu/Debian_security