Skip to content

In the Linux kernel, the following vulnerability has been...

High severity Unreviewed Published Dec 27, 2024 to the GitHub Advisory Database • Updated Feb 11, 2025

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: release svc_expkey/svc_export with rcu_work

The last reference for cache_head can be reduced to zero in c_show
and e_show(using rcu_read_lock and rcu_read_unlock). Consequently,
svc_export_put and expkey_put will be invoked, leading to two
issues:

  1. The svc_export_put will directly free ex_uuid. However,
    e_show/c_show will access ex_uuid after cache_put, which can
    trigger a use-after-free issue, shown below.

    ==================================================================
    BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]
    Read of size 1 at addr ff11000010fdc120 by task cat/870

    CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    1.16.1-2.fc37 04/01/2014
    Call Trace:

    dump_stack_lvl+0x53/0x70
    print_address_description.constprop.0+0x2c/0x3a0
    print_report+0xb9/0x280
    kasan_report+0xae/0xe0
    svc_export_show+0x362/0x430 [nfsd]
    c_show+0x161/0x390 [sunrpc]
    seq_read_iter+0x589/0x770
    seq_read+0x1e5/0x270
    proc_reg_read+0xe1/0x140
    vfs_read+0x125/0x530
    ksys_read+0xc1/0x160
    do_syscall_64+0x5f/0x170
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

    Allocated by task 830:
    kasan_save_stack+0x20/0x40
    kasan_save_track+0x14/0x30
    __kasan_kmalloc+0x8f/0xa0
    __kmalloc_node_track_caller_noprof+0x1bc/0x400
    kmemdup_noprof+0x22/0x50
    svc_export_parse+0x8a9/0xb80 [nfsd]
    cache_do_downcall+0x71/0xa0 [sunrpc]
    cache_write_procfs+0x8e/0xd0 [sunrpc]
    proc_reg_write+0xe1/0x140
    vfs_write+0x1a5/0x6d0
    ksys_write+0xc1/0x160
    do_syscall_64+0x5f/0x170
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

    Freed by task 868:
    kasan_save_stack+0x20/0x40
    kasan_save_track+0x14/0x30
    kasan_save_free_info+0x3b/0x60
    __kasan_slab_free+0x37/0x50
    kfree+0xf3/0x3e0
    svc_export_put+0x87/0xb0 [nfsd]
    cache_purge+0x17f/0x1f0 [sunrpc]
    nfsd_destroy_serv+0x226/0x2d0 [nfsd]
    nfsd_svc+0x125/0x1e0 [nfsd]
    write_threads+0x16a/0x2a0 [nfsd]
    nfsctl_transaction_write+0x74/0xa0 [nfsd]
    vfs_write+0x1a5/0x6d0
    ksys_write+0xc1/0x160
    do_syscall_64+0x5f/0x170
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

  2. We cannot sleep while using rcu_read_lock/rcu_read_unlock.
    However, svc_export_put/expkey_put will call path_put, which
    subsequently triggers a sleeping operation due to the following
    dput.

    =============================
    WARNING: suspicious RCU usage
    5.10.0-dirty #141 Not tainted

    ...
    Call Trace:
    dump_stack+0x9a/0xd0
    ___might_sleep+0x231/0x240
    dput+0x39/0x600
    path_put+0x1b/0x30
    svc_export_put+0x17/0x80
    e_show+0x1c9/0x200
    seq_read_iter+0x63f/0x7c0
    seq_read+0x226/0x2d0
    vfs_read+0x113/0x2c0
    ksys_read+0xc9/0x170
    do_syscall_64+0x33/0x40
    entry_SYSCALL_64_after_hwframe+0x67/0xd1

Fix these issues by using rcu_work to help release
svc_expkey/svc_export. This approach allows for an asynchronous
context to invoke path_put and also facilitates the freeing of
uuid/exp/key after an RCU grace period.

References

Published by the National Vulnerability Database Dec 27, 2024
Published to the GitHub Advisory Database Dec 27, 2024
Last updated Feb 11, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(18th percentile)

Weaknesses

CVE ID

CVE-2024-53216

GHSA ID

GHSA-j5g7-ch8c-pw9m

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.