CVE Details
Description
In the Linux kernel, the following vulnerability has been resolved:\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\nWe've been seeing the following panic in production\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n\n? __die+0x78/0xc0\n? page_fault_oops+0x286/0x380\n? __rpc_execute+0x2c3/0x470 [sunrpc]\n? rpc_new_task+0x42/0x1c0 [sunrpc]\n? exc_page_fault+0x5d/0x110\n? asm_exc_page_fault+0x22/0x30\n? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\npnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\npnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\nnfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\nff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n__nfs_pageio_add_request+0x154/0x6c0 [nfs]\nnfs_pageio_add_request+0x26b/0x380 [nfs]\nnfs_do_writepage+0x111/0x1e0 [nfs]\nnfs_writepages_callback+0xf/0x30 [nfs]\nwrite_cache_pages+0x17f/0x380\n? nfs_pageio_init_write+0x50/0x50 [nfs]\n? nfs_writepages+0x6d/0x210 [nfs]\n? nfs_writepages+0x6d/0x210 [nfs]\nnfs_writepages+0x125/0x210 [nfs]\ndo_writepages+0x67/0x220\n? generic_perform_write+0x14b/0x210\nfilemap_fdatawrite_wbc+0x5b/0x80\nfile_write_and_wait_range+0x6d/0xc0\nnfs_file_fsync+0x81/0x170 [nfs]\n? nfs_file_mmap+0x60/0x60 [nfs]\n__x64_sys_fsync+0x53/0x90\ndo_syscall_64+0x3d/0x90\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nInspecting the core with drgn I was able to pull this\n>>> prog.crashed_thread().stack_trace()[0]\n#0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n>>> prog.crashed_thread().stack_trace()[0]['idx']\n(u32)1\n>>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds\n(struct nfs4_ff_layout_ds *)0xffffffffffffffed\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror->mirror_ds). This\nis inconsistent with the rest of the users of mirror_ds, which have\nif (IS_ERR_OR_NULL(mirror_ds))\nto keep from tripping over this exact scenario. Fix this up in\nff_layout_cancel_io() to make sure we don't panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.
See more information about CVE-2024-26868 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: |
5.5 |
CVSS Vector: |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: |
Local network |
Attack Complexity: |
Low |
| Privileges Required: |
Low |
User Interaction: |
None |
| Scope: |
Unchanged |
Confidentiality Impact: |
None |
| Integrity Impact: |
None |
Availability Impact: |
High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (kernel) | ELSA-2024-5363 | 2024-08-14 |
