{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-56693", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrd: defer automatic disk creation until module initialization succeeds\n\nMy colleague Wupeng found the following problems during fault injection:\n\nBUG: unable to handle page fault for address: fffffbfff809d073\nPGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:__asan_load8+0x4c/0xa0\n...\nCall Trace:\n \n blkdev_put_whole+0x41/0x70\n bdev_release+0x1a3/0x250\n blkdev_release+0x11/0x20\n __fput+0x1d7/0x4a0\n task_work_run+0xfc/0x180\n syscall_exit_to_user_mode+0x1de/0x1f0\n do_syscall_64+0x6b/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nloop_init() is calling loop_add() after __register_blkdev() succeeds and\nis ignoring disk_add() failure from loop_add(), for loop_add() failure\nis not fatal and successfully created disks are already visible to\nbdev_open().\n\nbrd_init() is currently calling brd_alloc() before __register_blkdev()\nsucceeds and is releasing successfully created disks when brd_init()\nreturns an error. This can cause UAF for the latter two case:\n\ncase 1:\n T1:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n add_disk\n disk_scan_partitions\n bdev_file_open_by_dev // alloc file\n fput // won't free until back to userspace\n brd_alloc(1) // failed since mem alloc error inject\n // error path for modprobe will release code segment\n // back to userspace\n __fput\n blkdev_release\n bdev_release\n blkdev_put_whole\n bdev->bd_disk->fops->release // fops is freed now, UAF!\n\ncase 2:\n T1: T2:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n open(/dev/ram0)\n brd_alloc(1) // fail\n // error path for modprobe\n\n close(/dev/ram0)\n ...\n /* UAF! */\n bdev->bd_disk->fops->release\n\nFix this problem by following what loop_init() does. Besides,\nreintroduce brd_devices_mutex to help serialize modifications to\nbrd_list." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "7f9b348cb5e94259acdcbafbcaed55d3bb515304", "version_value": "41219c147df8bbd6591f59af5d695fb6c9a1cbff" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "5.14", "status": "affected" }, { "version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.174", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.120", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.64", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.11.11", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.13-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/41219c147df8bbd6591f59af5d695fb6c9a1cbff", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/41219c147df8bbd6591f59af5d695fb6c9a1cbff" }, { "url": "https://git.kernel.org/stable/c/259bf925583ec9e3781df778cadf00594095090d", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/259bf925583ec9e3781df778cadf00594095090d" }, { "url": "https://git.kernel.org/stable/c/410896624db639500f24f46478b4bfa05c76bf56", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/410896624db639500f24f46478b4bfa05c76bf56" }, { "url": "https://git.kernel.org/stable/c/c0c2744cd2939ec5999c51dbaf2af16886548b7b", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/c0c2744cd2939ec5999c51dbaf2af16886548b7b" }, { "url": "https://git.kernel.org/stable/c/63dfd728b30f79495dacc886127695a379805152", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/63dfd728b30f79495dacc886127695a379805152" }, { "url": "https://git.kernel.org/stable/c/826cc42adf44930a633d11a5993676d85ddb0842", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/826cc42adf44930a633d11a5993676d85ddb0842" } ] }, "generator": { "engine": "bippy-5f407fcff5a0" } }