CVE-2024-38598

md: fix resync softlockup when bitmap size is less than array size

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: md: fix resync softlockup when bitmap size is less than array size Is is reported that for dm-raid10, lvextend + lvchange --syncaction will
trigger following softlockup: kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976]
CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1
RIP: 0010:_raw_spin_unlock_irq+0x13/0x30
Call Trace: <TASK> md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 And the detailed process is as follows: md_do_sync j = mddev->resync_min while (j < max_sectors) sectors = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync set sync_blocks to 0 return sync_blocks + sectors_skippe; // sectors = 0; j += sectors; // j never change Root cause is that commit 301867b1c168 ("md/raid10: check
slab-out-of-bounds in md_bitmap_get_counter") return early from
md_bitmap_get_counter(), without setting returned blocks. Fix this problem by always set returned blocks from
md_bitmap_get_counter"(), as it used to be. Noted that this patch just fix the softlockup problem in kernel, the
case that bitmap size doesn't match array size still need to be fixed.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: md: corrige el bloqueo suave de resincronización cuando el tamaño del mapa de bits es menor que el tamaño de la matriz. Se informa que para dm-raid10, lvextend + lvchange --syncaction activará el siguiente bloqueo suave: kernel:watchdog: ERROR : bloqueo suave - ¡CPU n.° 3 bloqueada durante 26 segundos! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: cargado No contaminado 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Seguimiento de llamadas: md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 Y el proceso detallado es el siguiente: _sync j = mddev->resync_min mientras ( j < max_sectors) sectores = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync establece sync_blocks en 0 return sync_blocks + sectores_skippe; // sectores = 0; j += sectores; // j nunca cambia La causa principal es que el commit 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") regresa antes de md_bitmap_get_counter(), sin configurar los bloques devueltos. Solucione este problema estableciendo siempre los bloques devueltos desde md_bitmap_get_counter"(), como solía ser. Tenga en cuenta que este parche solo soluciona el problema de bloqueo suave en el kernel, el caso de que el tamaño del mapa de bits no coincida con el tamaño de la matriz aún debe solucionarse.

In the Linux kernel, the following vulnerability has been resolved: md: fix resync softlockup when bitmap size is less than array size Is is reported that for dm-raid10, lvextend + lvchange --syncaction will trigger following softlockup: kernel:watchdog: BUG: soft lockup - CPU#3 stuck for 26s! [mdX_resync:6976] CPU: 7 PID: 3588 Comm: mdX_resync Kdump: loaded Not tainted 6.9.0-rc4-next-20240419 #1 RIP: 0010:_raw_spin_unlock_irq+0x13/0x30 Call Trace: <TASK> md_bitmap_start_sync+0x6b/0xf0 raid10_sync_request+0x25c/0x1b40 [raid10] md_do_sync+0x64b/0x1020 md_thread+0xa7/0x170 kthread+0xcf/0x100 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1a/0x30 And the detailed process is as follows: md_do_sync j = mddev->resync_min while (j < max_sectors) sectors = raid10_sync_request(mddev, j, &skipped) if (!md_bitmap_start_sync(..., &sync_blocks)) // md_bitmap_start_sync set sync_blocks to 0 return sync_blocks + sectors_skippe; // sectors = 0; j += sectors; // j never change Root cause is that commit 301867b1c168 ("md/raid10: check slab-out-of-bounds in md_bitmap_get_counter") return early from md_bitmap_get_counter(), without setting returned blocks. Fix this problem by always set returned blocks from md_bitmap_get_counter"(), as it used to be. Noted that this patch just fix the softlockup problem in kernel, the case that bitmap size doesn't match array size still need to be fixed.

Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-18 CVE Reserved
2024-06-19 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-667: Improper Locking

CAPEC

References (19)

URL	Tag	Source
https://git.kernel.org/stable/c/374fb914304d9b500721007f3837ea8f1f9a2418	Vuln. Introduced
https://git.kernel.org/stable/c/b0b971fe7d61411ede63c3291764dbde1577ef2c	Vuln. Introduced
https://git.kernel.org/stable/c/39fa14e824acfd470db4f42c354297456bd82b53	Vuln. Introduced
https://git.kernel.org/stable/c/a134dd582c0d5b6068efa308bd485cf1d00b3f65	Vuln. Introduced
https://git.kernel.org/stable/c/be1a3ec63a840cc9e59a033acf154f56255699a1	Vuln. Introduced
https://git.kernel.org/stable/c/301867b1c16805aebbc306aafa6ecdc68b73c7e5	Vuln. Introduced
https://git.kernel.org/stable/c/152bb26796ff054af50b2ee1b3ca56e364e4f61b	Vuln. Introduced
https://git.kernel.org/stable/c/bea301c046110bf421a3ce153fb868cb8d618e90	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798	2024-06-16
https://git.kernel.org/stable/c/43771597feba89a839c5f893716df88ae5c237ce	2024-06-16
https://git.kernel.org/stable/c/3f5b73ef8fd6268cbc968b308d8eafe56fda97f3	2024-06-16
https://git.kernel.org/stable/c/69296914bfd508c85935bf5f711cad9b0fe78492	2024-06-16
https://git.kernel.org/stable/c/71e8e4f288e74a896b6d9cd194f3bab12bd7a10f	2024-06-12
https://git.kernel.org/stable/c/c9566b812c8f66160466cc1e29df6d3646add0b1	2024-06-12
https://git.kernel.org/stable/c/5817f43ae1a118855676f57ef7ab50e37eac7482	2024-05-30
https://git.kernel.org/stable/c/8bbc71315e0ae4bb7e37f8d43b915e1cb01a481b	2024-05-30
https://git.kernel.org/stable/c/f0e729af2eb6bee9eb58c4df1087f14ebaefe26b	2024-05-02

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-38598	2025-01-08
https://bugzilla.redhat.com/show_bug.cgi?id=2293367	2025-01-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.291 < 4.19.316 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.291 < 4.19.316"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.251 < 5.4.278 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.251 < 5.4.278"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.188 < 5.10.219 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.188 < 5.10.219"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.121 < 5.15.161 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.121 < 5.15.161"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.39 < 6.1.93 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.39 < 6.1.93"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.8.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.8.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.9.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.9.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.3.13 Search vendor "Linux" for product "Linux Kernel" and version "6.3.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.4 Search vendor "Linux" for product "Linux Kernel" and version "6.4.4"		en		Affected