CVE-2024-40998
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-40998
CVE Details
| Release Date: | 2024-07-12 |
Description
In the Linux kernel, the following vulnerability has been resolved:\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\nIn the following concurrency we will access the uninitialized rs->lock:\next4_fill_super\next4_register_sysfs\n// sysfs registered msg_ratelimit_interval_ms\n// Other processes modify rs->interval to\n// non-zero via msg_ratelimit_interval_ms\next4_orphan_cleanup\next4_msg(sb, KERN_INFO, 'Errors on filesystem, '\n__ext4_msg\n___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\nif (!rs->interval) // do nothing if interval is 0\nreturn 1;\nraw_spin_trylock_irqsave(&rs->lock, flags)\nraw_spin_trylock(lock)\n_raw_spin_trylock\n__raw_spin_trylock\nspin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\nlock_acquire\n__lock_acquire\nregister_lock_class\nassign_lock_key\ndump_stack();\nratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\nraw_spin_lock_init(&rs->lock);\n// init rs->lock here\nand get the following dump_stack:\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\ndump_stack_lvl+0xc5/0x170\ndump_stack+0x18/0x30\nregister_lock_class+0x740/0x7c0\n__lock_acquire+0x69/0x13a0\nlock_acquire+0x120/0x450\n_raw_spin_trylock+0x98/0xd0\n___ratelimit+0xf6/0x220\n__ext4_msg+0x7f/0x160 [ext4]\next4_orphan_cleanup+0x665/0x740 [ext4]\n__ext4_fill_super+0x21ea/0x2b10 [ext4]\next4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.
See more information about CVE-2024-40998 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (kernel) | ELSA-2024-7000 | 2024-09-24 |
| Oracle Linux version 9 (kernel) | ELSA-2024-8617 | 2024-10-30 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
