{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: block, bfq: fix possible UAF for bfqq->bic with merge chain", "id" : "2320238", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320238" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n1) initial state, three tasks:\nProcess 1 Process 2Process 3\n(BIC1) (BIC2) (BIC3)\n| Λ | Λ | Λ\n| | | | | |\nV | V | V |\nbfqq1 bfqq2 bfqq3\nprocess ref: 1 1 1\n2) bfqq1 merged to bfqq2:\nProcess 1 Process 2Process 3\n(BIC1) (BIC2) (BIC3)\n| | | Λ\n\\--------------\\| | |\nV V |\nbfqq1--------->bfqq2 bfqq3\nprocess ref: 0 2 1\n3) bfqq2 merged to bfqq3:\nProcess 1 Process 2Process 3\n(BIC1) (BIC2) (BIC3)\nhere -> Λ | |\n\\--------------\\ \\-------------\\|\nV V\nbfqq1--------->bfqq2---------->bfqq3\nprocess ref: 0 1 3\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\nbfq_insert_request\n-> by Process 1\nbfqq = bfq_init_rq(rq)\nbfqq = bfq_get_bfqq_handle_split\nbfqq = bic_to_bfqq\n-> get bfqq2 from BIC1\nbfqq->ref++\nrq->elv.priv[0] = bic\nrq->elv.priv[1] = bfqq\nif (bfqq_process_refs(bfqq) == 1)\nbfqq->bic = bic\n-> record BIC1 to bfqq2\n__bfq_insert_request\nnew_bfqq = bfq_setup_cooperator\n-> get bfqq3 from bfqq2->new_bfqq\nbfqq_request_freed(bfqq)\nnew_bfqq->ref++\nrq->elv.priv[1] = new_bfqq\n-> handle IO by bfqq3\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:364 [inline]\nprint_report+0x10d/0x610 mm/kasan/report.c:475\nkasan_report+0x8e/0xc0 mm/kasan/report.c:588\nbfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nbfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nbfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nbfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\nbfq_init_rq block/bfq-iosched.c:6876 [inline]\nbfq_insert_request block/bfq-iosched.c:6254 [inline]\nbfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\nblk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\nblk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\nprocess_one_work kernel/workqueue.c:2627 [inline]\nprocess_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\nworker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\nkthread+0x33c/0x440 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n\nAllocated by task 20776:\nkasan_save_stack+0x20/0x40 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:763 [inline]\nslab_alloc_node mm/slub.c:3458 [inline]\nkmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\nioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---", "A flaw was found in the Budget Fair Queueing (BFQ) I/O scheduler in the Linux kernel. Handling merged chains of BFQ queues can cause a use-after-free condition and result in a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47706\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47706\nhttps://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-47706-7312@gregkh/T" ], "name" : "CVE-2024-47706", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }