CVE-2024-35979
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-35979
CVE Details
| Release Date: | 2024-05-20 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nraid1: fix use-after-free for original bio in raid1_write_request()\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\nraid1_write_request()\nr1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\nfor (i = 0; i < disks; i++) -> for each rdev in conf\n// first rdev is normal\nr1_bio->bios[0] = bio; -> set to original bio\n// second rdev is blocked\nif (test_bit(Blocked, &rdev->flags))\nbreak\nif (blocked_rdev)\nfree_r1bio()\nput_all_bios()\nbio_put(r1_bio->bios[0]) -> original bio is freed\nTest scripts:\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\n-iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\nTest result:\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\nkmem_cache_alloc+0x324/0x480\nmempool_alloc_slab+0x24/0x50\nmempool_alloc+0x6e/0x220\nbio_alloc_bioset+0x1af/0x4d0\nblkdev_direct_IO+0x164/0x8a0\nblkdev_write_iter+0x309/0x440\naio_write+0x139/0x2f0\nio_submit_one+0x5ca/0xb70\n__do_sys_io_submit+0x86/0x270\n__x64_sys_io_submit+0x22/0x30\ndo_syscall_64+0xb1/0x210\nentry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\nkmem_cache_free+0x28c/0x550\nmempool_free_slab+0x1f/0x30\nmempool_free+0x40/0x100\nbio_free+0x59/0x80\nbio_put+0xf0/0x220\nfree_r1bio+0x74/0xb0\nraid1_make_request+0xadf/0x1150\nmd_handle_request+0xc7/0x3b0\nmd_submit_bio+0x76/0x130\n__submit_bio+0xd8/0x1d0\nsubmit_bio_noacct_nocheck+0x1eb/0x5c0\nsubmit_bio_noacct+0x169/0xd40\nsubmit_bio+0xee/0x1d0\nblkdev_direct_IO+0x322/0x8a0\nblkdev_write_iter+0x309/0x440\naio_write+0x139/0x2f0\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.
See more information about CVE-2024-35979 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (kernel) | ELSA-2024-9315 | 2024-11-14 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
