CVE-2024-26958

nfs: fix UAF in direct writes

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nfs: fix UAF in direct writes

In production we have been hitting the following warning consistently

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0
Workqueue: nfsiod nfs_direct_write_schedule_work [nfs]
RIP: 0010:refcount_warn_saturate+0x9c/0xe0
PKRU: 55555554
Call Trace:
<TASK>
? __warn+0x9f/0x130
? refcount_warn_saturate+0x9c/0xe0
? report_bug+0xcc/0x150
? handle_bug+0x3d/0x70
? exc_invalid_op+0x16/0x40
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0x9c/0xe0
nfs_direct_write_schedule_work+0x237/0x250 [nfs]
process_one_work+0x12f/0x4a0
worker_thread+0x14e/0x3b0
? ZSTD_getCParams_internal+0x220/0x220
kthread+0xdc/0x120
? __btf_name_valid+0xa0/0xa0
ret_from_fork+0x1f/0x30

This is because we're completing the nfs_direct_request twice in a row.

The source of this is when we have our commit requests to submit, we
process them and send them off, and then in the completion path for the
commit requests we have

if (nfs_commit_end(cinfo.mds))
nfs_direct_write_complete(dreq);

However since we're submitting asynchronous requests we sometimes have
one that completes before we submit the next one, so we end up calling
complete on the nfs_direct_request twice.

The only other place we use nfs_generic_commit_list() is in
__nfs_commit_inode, which wraps this call in a

nfs_commit_begin();
nfs_commit_end();

Which is a common pattern for this style of completion handling, one
that is also repeated in the direct code with get_dreq()/put_dreq()
calls around where we process events as well as in the completion paths.

Fix this by using the same pattern for the commit requests.

Before with my 200 node rocksdb stress running this warning would pop
every 10ish minutes. With my patch the stress test has been running for
several hours without popping.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfs: corrige UAF en escrituras directas En producción hemos estado recibiendo la siguiente advertencia constantemente ------------[ cortar aquí ]----- ------- refcount_t: desbordamiento insuficiente; use-after-free. ADVERTENCIA: CPU: 17 PID: 1800359 en lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Cola de trabajo: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Llamada Seguimiento: ? __advertir+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0? report_bug+0xcc/0x150? handle_bug+0x3d/0x70? exc_invalid_op+0x16/0x40? asm_exc_invalid_op+0x16/0x20? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] Process_one_work+0x12f/0x4a0 trabajador_thread+0x14e/0x3b0? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 Esto se debe a que estamos completando nfs_direct_request dos veces seguidas. La fuente de esto es cuando tenemos que enviar nuestras solicitudes de confirmación, las procesamos y las enviamos, y luego en la ruta de finalización para las solicitudes de confirmación tenemos if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); Sin embargo, dado que enviamos solicitudes asincrónicas, a veces tenemos una que se completa antes de enviar la siguiente, por lo que terminamos llamando a complete en nfs_direct_request dos veces. El único otro lugar donde usamos nfs_generic_commit_list() es en __nfs_commit_inode, que envuelve esta llamada en nfs_commit_begin(); nfs_commit_end(); Este es un patrón común para este estilo de manejo de finalización, uno que también se repite en el código directo con llamadas get_dreq()/put_dreq() en el lugar donde procesamos eventos, así como en las rutas de finalización. Solucione este problema utilizando el mismo patrón para las solicitudes de confirmación. Antes, con mi estrés de rocksdb de 200 nodos ejecutándose, esta advertencia aparecía cada 10 minutos. Con mi parche, la prueba de esfuerzo ha estado funcionando durante varias horas sin aparecer.

A use-after-free flaw was found in fs/nfs/direct.c in the Linux kernel. This may lead to a crash.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5	2024-04-13
https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f	2024-04-10
https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3	2024-04-03
https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605	2024-04-03
https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab	2024-04-03
https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95	2024-04-03
https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af	2024-03-09

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26958	2024-08-08
https://bugzilla.redhat.com/show_bug.cgi?id=2278182	2024-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.9 Search vendor "Linux" for product "Linux Kernel" and version " < 6.9"		en		Affected