CVE-2024-53131

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint

Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".

This series fixes null pointer dereference bugs that occur when using
nilfs2 and two block-related tracepoints.

This patch (of 2):

It has been reported that when using "block:block_touch_buffer"
tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a
NULL pointer dereference, or a general protection fault when KASAN is
enabled.

This happens because since the tracepoint was added in touch_buffer(), it
references the dev_t member bh->b_bdev->bd_dev regardless of whether the
buffer head has a pointer to a block_device structure. In the current
implementation, the block_device structure is set after the function
returns to the caller.

Here, touch_buffer() is used to mark the folio/page that owns the buffer
head as accessed, but the common search helper for folio/page used by the
caller function was optimized to mark the folio/page as accessed when it
was reimplemented a long time ago, eliminating the need to call
touch_buffer() here in the first place.

So this solves the issue by eliminating the touch_buffer() call itself.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Serie de parches "nilfs2: fix null-ptr-deref bugs on block tracepoints". Esta serie corrige errores de desreferencia de puntero nulo que ocurren al usar nilfs2 y dos puntos de seguimiento relacionados con bloques. Este parche (de 2): Se ha informado que al usar el punto de seguimiento "block:block_touch_buffer", touch_buffer() llamado desde __nilfs_get_folio_block() causa una desreferencia de puntero NULL o un error de protección general cuando KASAN está habilitado. Esto sucede porque, dado que el punto de seguimiento se agregó en touch_buffer(), hace referencia al miembro dev_t bh->b_bdev->bd_dev independientemente de si el cabezal del búfer tiene un puntero a una estructura block_device. En la implementación actual, la estructura block_device se establece después de que la función regresa al llamador. Aquí, touch_buffer() se utiliza para marcar el folio/página que posee el encabezado del búfer como accedido, pero el asistente de búsqueda común para folio/página utilizado por la función de llamada se optimizó para marcar el folio/página como accedido cuando se reimplementó hace mucho tiempo, eliminando la necesidad de llamar a touch_buffer() aquí en primer lugar. Por lo tanto, esto resuelve el problema al eliminar la llamada a touch_buffer() en sí.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-11-19 CVE Reserved
2024-12-04 CVE Published
2024-12-17 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/5305cb830834549b9203ad4d009ad5483c5e293f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/085556bf8c70e2629e02e79268dac3016a08b8bf	2024-12-05
https://git.kernel.org/stable/c/6438f3f42cda825f6f59b4e45ac3a1da28a6f2c9	2024-12-14
https://git.kernel.org/stable/c/b017697a517f8779ada4e8ce1c2c75dbf60a2636	2024-12-14
https://git.kernel.org/stable/c/19c71cdd77973f99a9adc3190130bc3aa7ae5423	2024-12-14
https://git.kernel.org/stable/c/3b2a4fd9bbee77afdd3ed5a05a0c02b6cde8d3b9	2024-11-22
https://git.kernel.org/stable/c/59b49ca67cca7b007a5afd3de0283c8008157665	2024-11-22
https://git.kernel.org/stable/c/77e47f89d32c2d72eb33d0becbce7abe14d061f4	2024-11-22
https://git.kernel.org/stable/c/cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471	2024-11-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 4.19.325 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 4.19.325"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.4.287 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.287"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.10.231 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.231"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.15.174 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15.174"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.1.119 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.1.119"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.6.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.6.63"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.11.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.11.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 6.12"		en		Affected