{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()", "id" : "2297582", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297582" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\nIn the following concurrency we will access the uninitialized rs->lock:\next4_fill_super\next4_register_sysfs\n// sysfs registered msg_ratelimit_interval_ms\n// Other processes modify rs->interval to\n// non-zero via msg_ratelimit_interval_ms\next4_orphan_cleanup\next4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n__ext4_msg\n___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\nif (!rs->interval) // do nothing if interval is 0\nreturn 1;\nraw_spin_trylock_irqsave(&rs->lock, flags)\nraw_spin_trylock(lock)\n_raw_spin_trylock\n__raw_spin_trylock\nspin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\nlock_acquire\n__lock_acquire\nregister_lock_class\nassign_lock_key\ndump_stack();\nratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\nraw_spin_lock_init(&rs->lock);\n// init rs->lock here\nand get the following dump_stack:\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\ndump_stack_lvl+0xc5/0x170\ndump_stack+0x18/0x30\nregister_lock_class+0x740/0x7c0\n__lock_acquire+0x69/0x13a0\nlock_acquire+0x120/0x450\n_raw_spin_trylock+0x98/0xd0\n___ratelimit+0xf6/0x220\n__ext4_msg+0x7f/0x160 [ext4]\next4_orphan_cleanup+0x665/0x740 [ext4]\n__ext4_fill_super+0x21ea/0x2b10 [ext4]\next4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.", "A vulnerability was found in the Linux kernel's ext4 filesystem within the __ext4_fill_super() function, where uninitialized access to ratelimit_state->lock can occur, where the sysfs interface is registered before properly initializing rs->lock, potentially allowing other processes to modify rs->interval to a non-zero value." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7001", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7000", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.22.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8616", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.127.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8616", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.127.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8616", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.127.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-10-15T00:00:00Z", "advisory" : "RHSA-2024:8107", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.75.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8613", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.90.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8614", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.90.1.rt14.375.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40998\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40998\nhttps://lore.kernel.org/linux-cve-announce/2024071252-CVE-2024-40998-90d6@gregkh/T" ], "name" : "CVE-2024-40998", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }