CVE-2024-53130
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()
may cause a NULL pointer dereference, or a general protection fault when
KASAN is enabled.
This happens because, since the tracepoint was added in
mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev
regardless of whether the buffer head has a pointer to a block_device
structure.
In the current implementation, nilfs_grab_buffer(), which grabs a buffer
to read (or create) a block of metadata, including b-tree node blocks,
does not set the block device, but instead does so only if the buffer is
not in the "uptodate" state for each of its caller block reading
functions. However, if the uptodate flag is set on a folio/page, and the
buffer heads are detached from it by try_to_free_buffers(), and new buffer
heads are then attached by create_empty_buffers(), the uptodate flag may
be restored to each buffer without the block device being set to
bh->b_bdev, and mark_buffer_dirty() may be called later in that state,
resulting in the bug mentioned above.
Fix this issue by making nilfs_grab_buffer() always set the block device
of the super block structure to the buffer head, regardless of the state
of the buffer's uptodate flag.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corrección de null-ptr-deref en el punto de seguimiento block_dirty_buffer Al utilizar el punto de seguimiento "block:block_dirty_buffer", mark_buffer_dirty() puede provocar una desreferencia de puntero NULL o un fallo de protección general cuando KASAN está habilitado. Esto sucede porque, dado que el punto de seguimiento se agregó en mark_buffer_dirty(), hace referencia al miembro dev_t bh->b_bdev->bd_dev independientemente de si el cabezal del búfer tiene un puntero a una estructura block_device. En la implementación actual, nilfs_grab_buffer(), que toma un búfer para leer (o crear) un bloque de metadatos, incluidos los bloques de nodos de árbol b, no establece el dispositivo de bloque, sino que lo hace solo si el búfer no está en el estado "uptodate" para cada una de sus funciones de lectura de bloque de llamada. Sin embargo, si el indicador uptodate está configurado en un folio/página, y los cabezales de búfer se separan de él mediante try_to_free_buffers(), y luego se adjuntan nuevos cabezales de búfer mediante create_empty_buffers(), el indicador uptodate puede restaurarse en cada búfer sin que el dispositivo de bloque se configure en bh->b_bdev, y mark_buffer_dirty() puede llamarse más tarde en ese estado, lo que da como resultado el error mencionado anteriormente. Solucione este problema haciendo que nilfs_grab_buffer() siempre configure el dispositivo de bloque de la estructura de superbloque en el cabezal de búfer, independientemente del estado del indicador uptodate del búfer.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-11-19 CVE Reserved
- 2024-12-04 CVE Published
- 2024-12-17 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/5305cb830834549b9203ad4d009ad5483c5e293f | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 4.19.325 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 4.19.325" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.4.287 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.287" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.10.231 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.231" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 5.15.174 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15.174" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.1.119 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.119" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.6.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.63" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.11.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.11.10" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.9 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.12" | en |
Affected
| ||||||