Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2024-53182

Description

In the Linux kernel, the following vulnerability has been resolved:Revert "block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()"This reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de.The bic is associated with sync_bfqq, and bfq_release_process_ref cannotbe put into bfq_put_cooperator.kasan report:[ 400.347277] ==================================================================[ 400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230[ 400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800[ 400.347430][ 400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32[ 400.347450] Tainted: [E]=UNSIGNED_MODULE[ 400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022[ 400.347460] Call Trace:[ 400.347464] [ 400.347468] dump_stack_lvl+0x5d/0x80[ 400.347490] print_report+0x174/0x505[ 400.347521] kasan_report+0xe0/0x160[ 400.347541] bic_set_bfqq+0x200/0x230[ 400.347549] bfq_bic_update_cgroup+0x419/0x740[ 400.347560] bfq_bio_merge+0x133/0x320[ 400.347584] blk_mq_submit_bio+0x1761/0x1e20[ 400.347625] __submit_bio+0x28b/0x7b0[ 400.347664] submit_bio_noacct_nocheck+0x6b2/0xd30[ 400.347690] iomap_readahead+0x50c/0x680[ 400.347731] read_pages+0x17f/0x9c0[ 400.347785] page_cache_ra_unbounded+0x366/0x4a0[ 400.347795] filemap_fault+0x83d/0x2340[ 400.347819] __xfs_filemap_fault+0x11a/0x7d0 [xfs][ 400.349256] __do_fault+0xf1/0x610[ 400.349270] do_fault+0x977/0x11a0[ 400.349281] __handle_mm_fault+0x5d1/0x850[ 400.349314] handle_mm_fault+0x1f8/0x560[ 400.349324] do_user_addr_fault+0x324/0x970[ 400.349337] exc_page_fault+0x76/0xf0[ 400.349350] asm_exc_page_fault+0x26/0x30[ 400.349360] RIP: 0033:0x55a480d77375[ 400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 <83> 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80[ 400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216[ 400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000[ 400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000[ 400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80[ 400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008[ 400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000[ 400.349430] [ 400.349452][ 400.349454] Allocated by task 5800:[ 400.349459] kasan_save_stack+0x30/0x50[ 400.349469] kasan_save_track+0x14/0x30[ 400.349475] __kasan_slab_alloc+0x89/0x90[ 400.349482] kmem_cache_alloc_node_noprof+0xdc/0x2a0[ 400.349492] bfq_get_queue+0x1ef/0x1100[ 400.349502] __bfq_get_bfqq_handle_split+0x11a/0x510[ 400.349511] bfq_insert_requests+0xf55/0x9030[ 400.349519] blk_mq_flush_plug_list+0x446/0x14c0[ 400.349527] __blk_flush_plug+0x27c/0x4e0[ 400.349534] blk_finish_plug+0x52/0xa0[ 400.349540] _xfs_buf_ioapply+0x739/0xc30 [xfs][ 400.350246] __xfs_buf_submit+0x1b2/0x640 [xfs][ 400.350967] xfs_buf_read_map+0x306/0xa20 [xfs][ 400.351672] xfs_trans_read_buf_map+0x285/0x7d0 [xfs][ 400.352386] xfs_imap_to_bp+0x107/0x270 [xfs][ 400.353077] xfs_iget+0x70d/0x1eb0 [xfs][ 400.353786] xfs_lookup+0x2ca/0x3a0 [xfs][ 400.354506] xfs_vn_lookup+0x14e/0x1a0 [xfs][ 400.355197] __lookup_slow+0x19c/0x340[ 400.355204] lookup_one_unlocked+0xfc/0x120[ 400.355211] ovl_lookup_single+0x1b3/0xcf0 [overlay][ 400.355255] ovl_lookup_layer+0x316/0x490 [overlay][ 400.355295] ovl_lookup+0x844/0x1fd0 [overlay][ 400.355351] lookup_one_qstr_excl+0xef/0x150[ 400.355357] do_unlinkat+0x22a/0x620[ 400.355366] __x64_sys_unlinkat+0x109/0x1e0[ 400.355375] do_syscall_64+0x82/0x160[ 400.355384] entry_SYSCALL_64_after_hwframe+0x76/0x7---truncated---

CVE-2024-53182

Description

POC

Reference

Github