CVE-2024-26958

CVE Details

Release Date:	2024-05-01
Impact:	Moderate	What is this?

Description

In the Linux kernel, the following vulnerability has been resolved:\nnfs: fix UAF in direct writes\nIn production we have been hitting the following warning consistently\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n\n? __warn+0x9f/0x130\n? refcount_warn_saturate+0x9c/0xe0\n? report_bug+0xcc/0x150\n? handle_bug+0x3d/0x70\n? exc_invalid_op+0x16/0x40\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0x9c/0xe0\nnfs_direct_write_schedule_work+0x237/0x250 [nfs]\nprocess_one_work+0x12f/0x4a0\nworker_thread+0x14e/0x3b0\n? ZSTD_getCParams_internal+0x220/0x220\nkthread+0xdc/0x120\n? __btf_name_valid+0xa0/0xa0\nret_from_fork+0x1f/0x30\nThis is because we're completing the nfs_direct_request twice in a row.\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\nif (nfs_commit_end(cinfo.mds))\nnfs_direct_write_complete(dreq);\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\nnfs_commit_begin();\nnfs_commit_end();\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\nFix this by using the same pattern for the commit requests.\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.

See more information about CVE-2024-26958 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel)	ELSA-2024-5101	2024-08-08
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14