CVE-2024-36478: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
First published: Fri Jun 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | >=5.5<6.9.4 | |
| debian/linux | <=5.10.223-1<=5.10.226-1<=6.1.115-1 | 6.1.119-1 6.11.10-1 6.12.5-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47
- https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2
- https://launchpad.net/bugs/cve/CVE-2024-36478
- https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36478
- https://nvd.nist.gov/vuln/detail/CVE-2024-36478
- https://security-tracker.debian.org/tracker/CVE-2024-36478
- https://ubuntu.com/security/CVE-2024-36478
- https://git.kernel.org/linus/a2db328b0839312c169eb42746ec46fc1ab53ed2
- https://git.kernel.org/stable/c/1d4c8baef435c98e8d5aa7027dc5a9f70834ba16
- agent/title
- agent/type
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/first-publish-date
- agent/weakness
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/references
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.5
- package-manager/debian