{
  "threat_severity" : "Low",
  "public_date" : "2024-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: raid1: fix use-after-free for original bio in raid1_write_request()",
    "id" : "2281872",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281872"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nraid1: fix use-after-free for original bio in raid1_write_request()\nr1_bio->bios[] is used to record new bios that will be issued to\nunderlying disks, however, in raid1_write_request(), r1_bio->bios[]\nwill set to the original bio temporarily. Meanwhile, if blocked rdev\nis set, free_r1bio() will be called causing that all r1_bio->bios[]\nto be freed:\nraid1_write_request()\nr1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL\nfor (i = 0;  i < disks; i++) -> for each rdev in conf\n// first rdev is normal\nr1_bio->bios[0] = bio; -> set to original bio\n// second rdev is blocked\nif (test_bit(Blocked, &rdev->flags))\nbreak\nif (blocked_rdev)\nfree_r1bio()\nput_all_bios()\nbio_put(r1_bio->bios[0]) -> original bio is freed\nTest scripts:\nmdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean\nfio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \\\n-iodepth=128 -name=test -direct=1\necho blocked > /sys/block/md0/md/rd2/state\nTest result:\nBUG bio-264 (Not tainted): Object already free\n-----------------------------------------------------------------------------\nAllocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869\nkmem_cache_alloc+0x324/0x480\nmempool_alloc_slab+0x24/0x50\nmempool_alloc+0x6e/0x220\nbio_alloc_bioset+0x1af/0x4d0\nblkdev_direct_IO+0x164/0x8a0\nblkdev_write_iter+0x309/0x440\naio_write+0x139/0x2f0\nio_submit_one+0x5ca/0xb70\n__do_sys_io_submit+0x86/0x270\n__x64_sys_io_submit+0x22/0x30\ndo_syscall_64+0xb1/0x210\nentry_SYSCALL_64_after_hwframe+0x6c/0x74\nFreed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869\nkmem_cache_free+0x28c/0x550\nmempool_free_slab+0x1f/0x30\nmempool_free+0x40/0x100\nbio_free+0x59/0x80\nbio_put+0xf0/0x220\nfree_r1bio+0x74/0xb0\nraid1_make_request+0xadf/0x1150\nmd_handle_request+0xc7/0x3b0\nmd_submit_bio+0x76/0x130\n__submit_bio+0xd8/0x1d0\nsubmit_bio_noacct_nocheck+0x1eb/0x5c0\nsubmit_bio_noacct+0x169/0xd40\nsubmit_bio+0xee/0x1d0\nblkdev_direct_IO+0x322/0x8a0\nblkdev_write_iter+0x309/0x440\naio_write+0x139/0x2f0\nSince that bios for underlying disks are not allocated yet, fix this\nproblem by using mempool_free() directly to free the r1_bio.", "In the Linux kernel, the following vulnerability has been resolved:\nraid1: fix use-after-free for original bio in raid1_write_request()\nThe Linux kernel CVE team has assigned CVE-2024-35979 to this issue.\nUpstream advisory:\nhttps://lore.kernel.org/linux-cve-announce/2024052025-CVE-2024-35979-2618@gregkh/T" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35979\nhttps://lore.kernel.org/linux-cve-announce/2024052025-CVE-2024-35979-2618@gregkh/T" ],
  "name" : "CVE-2024-35979",
  "csaw" : false
}