{
  "threat_severity" : "Moderate",
  "public_date" : "2024-12-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: block, bfq: fix bfqq uaf in bfq_limit_depth()",
    "id" : "2334384",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334384"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblock, bfq: fix bfqq uaf in bfq_limit_depth()\nSet new allocated bfqq to bic or remove freed bfqq from bic are both\nprotected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq\nfrom bic without the lock, this can lead to UAF if the io_context is\nshared by multiple tasks.\nFor example, test bfq with io_uring can trigger following UAF in v6.6:\n==================================================================\nBUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50\nCall Trace:\n<TASK>\ndump_stack_lvl+0x47/0x80\nprint_address_description.constprop.0+0x66/0x300\nprint_report+0x3e/0x70\nkasan_report+0xb4/0xf0\nbfqq_group+0x15/0x50\nbfqq_request_over_limit+0x130/0x9a0\nbfq_limit_depth+0x1b5/0x480\n__blk_mq_alloc_requests+0x2b5/0xa00\nblk_mq_get_new_requests+0x11d/0x1d0\nblk_mq_submit_bio+0x286/0xb00\nsubmit_bio_noacct_nocheck+0x331/0x400\n__block_write_full_folio+0x3d0/0x640\nwritepage_cb+0x3b/0xc0\nwrite_cache_pages+0x254/0x6c0\nwrite_cache_pages+0x254/0x6c0\ndo_writepages+0x192/0x310\nfilemap_fdatawrite_wbc+0x95/0xc0\n__filemap_fdatawrite_range+0x99/0xd0\nfilemap_write_and_wait_range.part.0+0x4d/0xa0\nblkdev_read_iter+0xef/0x1e0\nio_read+0x1b6/0x8a0\nio_issue_sqe+0x87/0x300\nio_wq_submit_work+0xeb/0x390\nio_worker_handle_work+0x24d/0x550\nio_wq_worker+0x27f/0x6c0\nret_from_fork_asm+0x1b/0x30\n</TASK>\nAllocated by task 808602:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_slab_alloc+0x83/0x90\nkmem_cache_alloc_node+0x1b1/0x6d0\nbfq_get_queue+0x138/0xfa0\nbfq_get_bfqq_handle_split+0xe3/0x2c0\nbfq_init_rq+0x196/0xbb0\nbfq_insert_request.isra.0+0xb5/0x480\nbfq_insert_requests+0x156/0x180\nblk_mq_insert_request+0x15d/0x440\nblk_mq_submit_bio+0x8a4/0xb00\nsubmit_bio_noacct_nocheck+0x331/0x400\n__blkdev_direct_IO_async+0x2dd/0x330\nblkdev_write_iter+0x39a/0x450\nio_write+0x22a/0x840\nio_issue_sqe+0x87/0x300\nio_wq_submit_work+0xeb/0x390\nio_worker_handle_work+0x24d/0x550\nio_wq_worker+0x27f/0x6c0\nret_from_fork+0x2d/0x50\nret_from_fork_asm+0x1b/0x30\nFreed by task 808589:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x27/0x40\n__kasan_slab_free+0x126/0x1b0\nkmem_cache_free+0x10c/0x750\nbfq_put_queue+0x2dd/0x770\n__bfq_insert_request.isra.0+0x155/0x7a0\nbfq_insert_request.isra.0+0x122/0x480\nbfq_insert_requests+0x156/0x180\nblk_mq_dispatch_plug_list+0x528/0x7e0\nblk_mq_flush_plug_list.part.0+0xe5/0x590\n__blk_flush_plug+0x3b/0x90\nblk_finish_plug+0x40/0x60\ndo_writepages+0x19d/0x310\nfilemap_fdatawrite_wbc+0x95/0xc0\n__filemap_fdatawrite_range+0x99/0xd0\nfilemap_write_and_wait_range.part.0+0x4d/0xa0\nblkdev_read_iter+0xef/0x1e0\nio_read+0x1b6/0x8a0\nio_issue_sqe+0x87/0x300\nio_wq_submit_work+0xeb/0x390\nio_worker_handle_work+0x24d/0x550\nio_wq_worker+0x27f/0x6c0\nret_from_fork+0x2d/0x50\nret_from_fork_asm+0x1b/0x30\nFix the problem by protecting bic_to_bfqq() with bfqd->lock." ],
  "statement" : "For triggering the bug, need to enable bfq that is disabled by default for Fedora. Also requires few conditions simultaneously (like usage of set limit_depth for bfq and io_uring), so the security impact is limited.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53166\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53166\nhttps://lore.kernel.org/linux-cve-announce/2024122714-CVE-2024-53166-8beb@gregkh/T" ],
  "name" : "CVE-2024-53166",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module bfq from being loaded (that would work for Fedora only). Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}