{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-17T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails",
    "id" : "2275715",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2275715"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\nWe've been seeing the following panic in production\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n<TASK>\n? __die+0x78/0xc0\n? page_fault_oops+0x286/0x380\n? __rpc_execute+0x2c3/0x470 [sunrpc]\n? rpc_new_task+0x42/0x1c0 [sunrpc]\n? exc_page_fault+0x5d/0x110\n? asm_exc_page_fault+0x22/0x30\n? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\npnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\npnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\nnfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\nff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n__nfs_pageio_add_request+0x154/0x6c0 [nfs]\nnfs_pageio_add_request+0x26b/0x380 [nfs]\nnfs_do_writepage+0x111/0x1e0 [nfs]\nnfs_writepages_callback+0xf/0x30 [nfs]\nwrite_cache_pages+0x17f/0x380\n? nfs_pageio_init_write+0x50/0x50 [nfs]\n? nfs_writepages+0x6d/0x210 [nfs]\n? nfs_writepages+0x6d/0x210 [nfs]\nnfs_writepages+0x125/0x210 [nfs]\ndo_writepages+0x67/0x220\n? generic_perform_write+0x14b/0x210\nfilemap_fdatawrite_wbc+0x5b/0x80\nfile_write_and_wait_range+0x6d/0xc0\nnfs_file_fsync+0x81/0x170 [nfs]\n? nfs_file_mmap+0x60/0x60 [nfs]\n__x64_sys_fsync+0x53/0x90\ndo_syscall_64+0x3d/0x90\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nInspecting the core with drgn I was able to pull this\n>>> prog.crashed_thread().stack_trace()[0]\n#0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n>>> prog.crashed_thread().stack_trace()[0]['idx']\n(u32)1\n>>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds\n(struct nfs4_ff_layout_ds *)0xffffffffffffffed\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror->mirror_ds).  This\nis inconsistent with the rest of the users of mirror_ds, which have\nif (IS_ERR_OR_NULL(mirror_ds))\nto keep from tripping over this exact scenario.  Fix this up in\nff_layout_cancel_io() to make sure we don't panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.", "A vulnerability was found in the ff_layout_cancel_io() function in the Linux kernel. Improper error checking with the mirror_ds structure fails to check if it is NULL, leading to a potential NULL pointer dereference. This issue could lead to crashes." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-15T00:00:00Z",
    "advisory" : "RHSA-2024:5363",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.31.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-15T00:00:00Z",
    "advisory" : "RHSA-2024:5363",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.31.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26868\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26868\nhttps://lore.kernel.org/linux-cve-announce/2024041737-CVE-2024-26868-35ff@gregkh/T" ],
  "name" : "CVE-2024-26868",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}