CVE-2024-53216

一、漏洞信息
 漏洞编号：[CVE-2024-53216](https://nvd.nist.gov/vuln/detail/CVE-2024-53216)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：7.8 High
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:nfsd: release svc_expkey/svc_export with rcu_workThe last reference for `cache_head` can be reduced to zero in `c_show`and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,`svc_export_put` and `expkey_put` will be invoked, leading to twoissues:1. The `svc_export_put` will directly free ex_uuid. However,   `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can   trigger a use-after-free issue, shown below.   ==================================================================   BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]   Read of size 1 at addr ff11000010fdc120 by task cat/870   CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS   1.16.1-2.fc37 04/01/2014   Call Trace:    <TASK>    dump_stack_lvl+0x53/0x70    print_address_description.constprop.0+0x2c/0x3a0    print_report+0xb9/0x280    kasan_report+0xae/0xe0    svc_export_show+0x362/0x430 [nfsd]    c_show+0x161/0x390 [sunrpc]    seq_read_iter+0x589/0x770    seq_read+0x1e5/0x270    proc_reg_read+0xe1/0x140    vfs_read+0x125/0x530    ksys_read+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e   Allocated by task 830:    kasan_save_stack+0x20/0x40    kasan_save_track+0x14/0x30    __kasan_kmalloc+0x8f/0xa0    __kmalloc_node_track_caller_noprof+0x1bc/0x400    kmemdup_noprof+0x22/0x50    svc_export_parse+0x8a9/0xb80 [nfsd]    cache_do_downcall+0x71/0xa0 [sunrpc]    cache_write_procfs+0x8e/0xd0 [sunrpc]    proc_reg_write+0xe1/0x140    vfs_write+0x1a5/0x6d0    ksys_write+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e   Freed by task 868:    kasan_save_stack+0x20/0x40    kasan_save_track+0x14/0x30    kasan_save_free_info+0x3b/0x60    __kasan_slab_free+0x37/0x50    kfree+0xf3/0x3e0    svc_export_put+0x87/0xb0 [nfsd]    cache_purge+0x17f/0x1f0 [sunrpc]    nfsd_destroy_serv+0x226/0x2d0 [nfsd]    nfsd_svc+0x125/0x1e0 [nfsd]    write_threads+0x16a/0x2a0 [nfsd]    nfsctl_transaction_write+0x74/0xa0 [nfsd]    vfs_write+0x1a5/0x6d0    ksys_write+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.   However, `svc_export_put`/`expkey_put` will call path_put, which   subsequently triggers a sleeping operation due to the following   `dput`.   =============================   WARNING: suspicious RCU usage   5.10.0-dirty #141 Not tainted   -----------------------------   ...   Call Trace:   dump_stack+0x9a/0xd0   ___might_sleep+0x231/0x240   dput+0x39/0x600   path_put+0x1b/0x30   svc_export_put+0x17/0x80   e_show+0x1c9/0x200   seq_read_iter+0x63f/0x7c0   seq_read+0x226/0x2d0   vfs_read+0x113/0x2c0   ksys_read+0xc9/0x170   do_syscall_64+0x33/0x40   entry_SYSCALL_64_after_hwframe+0x67/0xd1Fix these issues by using `rcu_work` to help release`svc_expkey`/`svc_export`. This approach allows for an asynchronouscontext to invoke `path_put` and also facilitates the freeing of`uuid/exp/key` after an RCU grace period.
 漏洞公开时间：2024-12-27 22:15:29
 漏洞创建时间：2024-12-27 22:46:13
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-53216
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-53216 | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-53216 | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-53216.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1235003 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024122732-CVE-2024-53216-ba8b@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2334415 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-53216 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/2e4854599200f4d021df8ae17e69221d7c149f3e |  | nvd |
|  |  | https://git.kernel.org/stable/c/ad4363a24a5746b257c0beb5d8cc68f9b62c173f |  | nvd |
|  |  | https://git.kernel.org/stable/c/bd8524148dd8c123334b066faa90590ba2ef8e6f |  | nvd |
|  |  | https://git.kernel.org/stable/c/f8c989a0c89a75d30f899a7cabdc14d72522bb8d |  | nvd |
| linux_kernel | 6.6.64 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bd8524148dd8c123334b066faa90590ba2ef8e6f | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9ceddd9da13434a5906255c0fc528c385aded283 | linuxkernelcves |
| linux_kernel | 6.11.11 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2e4854599200f4d021df8ae17e69221d7c149f3e | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9ceddd9da13434a5906255c0fc528c385aded283 | linuxkernelcves |
| linux_kernel | 6.12.2 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ad4363a24a5746b257c0beb5d8cc68f9b62c173f | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9ceddd9da13434a5906255c0fc528c385aded283 | linuxkernelcves |
| linux_kernel | 6.13-rc1 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f8c989a0c89a75d30f899a7cabdc14d72522bb8d | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9ceddd9da13434a5906255c0fc528c385aded283 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:nfsd: release svc_expkey/svc_export with rcu_workThe last reference for `cache_head` can be reduced to zero in `c_show`and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,`svc_export_put` and `expkey_put` will be invoked, leading to twoissues:1. The `svc_export_put` will directly free ex_uuid. However,   `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can   trigger a use-after-free issue, shown below.   ==================================================================   BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]   Read of size 1 at addr ff11000010fdc120 by task cat/870   CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS   1.16.1-2.fc37 04/01/2014   Call Trace:    &lt;TASK&gt;    dump_stack_lvl+0x53/0x70    print_address_description.constprop.0+0x2c/0x3a0    print_report+0xb9/0x280    kasan_report+0xae/0xe0    svc_export_show+0x362/0x430 [nfsd]    c_show+0x161/0x390 [sunrpc]    seq_read_iter+0x589/0x770    seq_read+0x1e5/0x270    proc_reg_read+0xe1/0x140    vfs_read+0x125/0x530    ksys_read+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e   Allocated by task 830:    kasan_save_stack+0x20/0x40    kasan_save_track+0x14/0x30    __kasan_kmalloc+0x8f/0xa0    __kmalloc_node_track_caller_noprof+0x1bc/0x400    kmemdup_noprof+0x22/0x50    svc_export_parse+0x8a9/0xb80 [nfsd]    cache_do_downcall+0x71/0xa0 [sunrpc]    cache_write_procfs+0x8e/0xd0 [sunrpc]    proc_reg_write+0xe1/0x140    vfs_write+0x1a5/0x6d0    ksys_write+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e   Freed by task 868:    kasan_save_stack+0x20/0x40    kasan_save_track+0x14/0x30    kasan_save_free_info+0x3b/0x60    __kasan_slab_free+0x37/0x50    kfree+0xf3/0x3e0    svc_export_put+0x87/0xb0 [nfsd]    cache_purge+0x17f/0x1f0 [sunrpc]    nfsd_destroy_serv+0x226/0x2d0 [nfsd]    nfsd_svc+0x125/0x1e0 [nfsd]    write_threads+0x16a/0x2a0 [nfsd]    nfsctl_transaction_write+0x74/0xa0 [nfsd]    vfs_write+0x1a5/0x6d0    ksys_write+0xc1/0x160    do_syscall_64+0x5f/0x170    entry_SYSCALL_64_after_hwframe+0x76/0x7e2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.   However, `svc_export_put`/`expkey_put` will call path_put, which   subsequently triggers a sleeping operation due to the following   `dput`.   =============================   WARNING: suspicious RCU usage   5.10.0-dirty #141 Not tainted   -----------------------------   ...   Call Trace:   dump_stack+0x9a/0xd0   ___might_sleep+0x231/0x240   dput+0x39/0x600   path_put+0x1b/0x30   svc_export_put+0x17/0x80   e_show+0x1c9/0x200   seq_read_iter+0x63f/0x7c0   seq_read+0x226/0x2d0   vfs_read+0x113/0x2c0   ksys_read+0xc9/0x170   do_syscall_64+0x33/0x40   entry_SYSCALL_64_after_hwframe+0x67/0xd1Fix these issues by using `rcu_work` to help release`svc_expkey`/`svc_export`. This approach allows for an asynchronouscontext to invoke `path_put` and also facilitates the freeing of`uuid/exp/key` after an RCU grace period.The Linux kernel CVE team has assigned CVE-2024-53216 to this issue.
 openEuler评分：
  7.8
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3:受影响
3.openEuler-22.03-LTS-SP4:受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.openEuler-24.03-LTS-SP1(6.6.0):受影响
6.openEuler-24.03-LTS-SP2(6.6.0):受影响
7.master(6.12.33):不受影响
8.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.master(6.12.33):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS-SP3:否
4.openEuler-22.03-LTS-SP4:否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-24.03-LTS-SP1(6.6.0):否
8.openEuler-24.03-LTS-SP2(6.6.0):否

原因说明：
  1.openEuler-22.03-LTS-SP3:正常修复
2.openEuler-22.03-LTS-SP4:正常修复
3.openEuler-24.03-LTS(6.6.0):正常修复
4.openEuler-24.03-LTS-SP1(6.6.0):正常修复
5.openEuler-24.03-LTS-SP2(6.6.0):正常修复
6.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
7.master(6.12.33):不受影响-漏洞代码不能被攻击者触发
8.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发

src-openEuler/kernel

Content Risk Flag

Comments (21)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-53216

Comments (21)

Search

src-openEuler/kernel