CVE-2024-47679
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-47679
CVE Details
| Release Date: | 2024-10-21 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nvfs: fix race between evice_inodes() and find_inode()&iput()\nHi, all\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\ncpu0: cpu1:\niput() // i_count is 1\n->spin_lock(inode)\n->dec i_count to 0\n->iput_final() generic_shutdown_super()\n->__inode_add_lru() ->evict_inodes()\n// cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n// return before // inode 261 passed the above check\n// list_lru_add_obj() // and then schedule out\n->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\nbtrfs_iget()\n// after some function calls\n->find_inode()\n// found the above inode 261\n->spin_lock(inode)\n// check I_FREEING|I_WILL_FREE\n// and passed\n->__iget()\n->spin_unlock(inode) // schedule back\n->spin_lock(inode)\n// check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n// passed and set I_FREEING\niput() ->spin_unlock(inode)\n->spin_lock(inode) ->evict()\n// dec i_count to 0\n->iput_final()\n->spin_unlock()\n->evict()\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\nIf there is any misunderstanding, please let me know, thanks.\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.
See more information about CVE-2024-47679 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 4.7 |
| Vector String: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | High |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | None |
| Integrity: | None |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12887 | 2024-12-18 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
