CVE-2024-57892

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never
set as null leaving it to be accessed. Additionally, the read-only option
for remounting sets the DQUOT_SUSPENDED flag instead of setting the
DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
next quota, the function ocfs2_get_next_id is called and only checks the
quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with
read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm@linux-foundation.org: coding-style cleanups]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ocfs2: se corrige slab-use-after-free debido al puntero colgante dqi_priv Al montar ocfs2 y luego volver a montarlo como de solo lectura, se produce un slab-use-after-free después de que el usuario usa una llamada al sistema a quota_getnextquota. Específicamente, sb_dqinfo(sb, type)->dqi_priv es el puntero colgante. Durante el proceso de remontaje, el puntero dqi_priv se libera pero nunca se establece como nulo, dejándolo para que se pueda acceder a él. Además, la opción de solo lectura para remontaje establece el indicador DQUOT_SUSPENDED en lugar de establecer los indicadores DQUOT_USAGE_ENABLED. Además, más adelante en el proceso de obtención de la siguiente cuota, se llama a la función ocfs2_get_next_id y solo verifica los indicadores de uso de cuota y no los indicadores de cuota suspendida. Para solucionar esto, establezco dqi_priv en nulo cuando se libera después de volver a montar con solo lectura y pongo una marca de verificación para DQUOT_SUSPENDED en ocfs2_get_next_id. [akpm@linux-foundation.org: limpiezas de estilo de codificación]

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. [akpm@linux-foundation.org: coding-style cleanups]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-01-11 CVE Reserved
2025-01-15 CVE Published
2025-01-15 CVE Updated
2025-01-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/8f9e8f5fcc059a3cba87ce837c88316797ef3645	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/2e3d203b1adede46bbba049e497765d67865be18	2025-01-09
https://git.kernel.org/stable/c/ba950a02d8d23811aa1120affd3adedcfac6153d	2025-01-09
https://git.kernel.org/stable/c/5f3fd772d152229d94602bca243fbb658068a597	2024-12-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.6 < 6.6.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.6 < 6.6.70"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.6 < 6.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.6 < 6.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.6 < 6.13-rc6 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.6 < 6.13-rc6"		en		Affected