CVE-2024-26689

ceph: prevent use-after-free in encode_cap_msg()

Severity Score

6.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this
line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
occurred and resource was freed by the latter line before the former
line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by
ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
the refcount must be increased to prevent "use after free" error.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ceph: evita el use-after-free en encode_cap_msg() En fs/ceph/caps.c, en encode_cap_msg(), KASAN detectó el error "use after free" en este línea - 'ceph_buffer_get(arg->xattr_buf);'. Esto implica que antes de que el recuento pudiera incrementarse aquí, fue liberado. En el mismo archivo, en "handle_cap_grant()", el refcount se reduce en esta línea: 'ceph_buffer_put(ci->i_xattrs.blob);'. Parece que se produjo una ejecución y la última línea liberó el recurso antes de que la primera línea pudiera incrementarlo. __send_cap() llama a encode_cap_msg() y ceph_check_caps() llama a __send_cap() después de llamar a __prep_cap(). __prep_cap() es donde arg->xattr_buf se asigna a ci->i_xattrs.blob. Este es el punto donde se debe aumentar el recuento para evitar el error "use after free".

In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by ceph_check_caps() after calling __prep_cap(). __prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error.

Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-03 CVE Published
2025-02-26 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/9030aaf9bf0a1eee47a154c316c789e959638b0f	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214	2024-02-23
https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77	2024-02-23
https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139	2024-02-23
https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7	2024-02-23
https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc	2024-02-23
https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef	2024-02-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 6.1.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 6.6.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 6.8"		en		Affected