CVE-2024-35794

dm-raid: really frozen sync_thread during suspend

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

dm-raid: really frozen sync_thread during suspend

1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove
MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that
dm-raid relies on __md_stop_writes() to frozen sync_thread
indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in
md_stop_writes(), and since stop_sync_thread() is only used for
dm-raid in this case, also move stop_sync_thread() to
md_stop_writes().
2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,
it only prevent new sync_thread to start, and it can't stop the
running sync thread; In order to frozen sync_thread, after seting the
flag, stop_sync_thread() should be used.
3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use
it as condition for md_stop_writes() in raid_postsuspend() doesn't
look correct. Consider that reentrant stop_sync_thread() do nothing,
always call md_stop_writes() in raid_postsuspend().
4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,
and if MD_RECOVERY_FROZEN is cleared while the array is suspended,
new sync_thread can start unexpected. Fix this by disallow
raid_message() to change sync_thread status during suspend.

Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the
test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),
and with previous fixes, the test won't hang there anymore, however, the
test will still fail and complain that ext4 is corrupted. And with this
patch, the test won't hang due to stop_sync_thread() or fail due to ext4
is corrupted anymore. However, there is still a deadlock related to
dm-raid456 that will be fixed in following patches.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm-raid: sync_thread realmente congelado durante la suspensión 1) commit f52f5c71f3d4 ("md: fix deteniendo el hilo de sincronización") elimina MD_RECOVERY_FROZEN de __md_stop_writes() y no se da cuenta de que dm-raid se basa en __md_stop_writes() para congelar sync_thread indirectamente. Solucione este problema agregando MD_RECOVERY_FROZEN en md_stop_writes(), y dado que stop_sync_thread() solo se usa para dm-raid en este caso, mueva también stop_sync_thread() a md_stop_writes(). 2) La bandera MD_RECOVERY_FROZEN no significa que el subproceso de sincronización esté congelado, solo impide que se inicie un nuevo subproceso de sincronización y no puede detener el subproceso de sincronización en ejecución; Para congelar sync_thread, después de configurar la bandera, se debe usar stop_sync_thread(). 3) La bandera MD_RECOVERY_FROZEN no significa que se detengan las escrituras; usarla como condición para md_stop_writes() en raid_postsuspend() no parece correcta. Considere que el reentrante stop_sync_thread() no hace nada, siempre llame a md_stop_writes() en raid_postsuspend(). 4) raid_message puede establecer/borrar el indicador MD_RECOVERY_FROZEN en cualquier momento, y si MD_RECOVERY_FROZEN se borra mientras la matriz está suspendida, un nuevo sync_thread puede iniciarse inesperadamente. Solucione este problema al no permitir que raid_message() cambie el estado de sync_thread durante la suspensión. Tenga en cuenta que después de confirmar f52f5c71f3d4 ("md: arreglar la detención del hilo de sincronización"), la prueba shell/lvconvert-raid-reshape.sh comienza a bloquearse en stop_sync_thread(), y con las correcciones anteriores, la prueba ya no se bloqueará allí, sin embargo , la prueba seguirá fallondo y se quejará de que ext4 está dañado. Y con este parche, la prueba no se bloqueará debido a stop_sync_thread() ni fallará debido a que ext4 ya está dañado. Sin embargo, todavía hay un punto muerto relacionado con dm-raid456 que se solucionará en los siguientes parches.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2024-05-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/9dbd1aa3a81c6166608fec87994b6c464701f73a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b	2024-04-03
https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab	2024-04-03
https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73	2024-03-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 6.9"		en		Affected