CVE-2024-56672
Description
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix UAF in blkcg_unpin_online()
blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF:
================================================================== BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117
CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue: cgwb_release cgwb_release_workfn Call Trace:
dump_stack_lvl+0x27/0x80 print_report+0x151/0x710 kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270 cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
... Freed by task 1944: kasan_save_track+0x2b/0x70 kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50 kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30 process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
Note that the UAF is not easy to trigger as the free path is indirected behind a couple RCU grace periods and a work item execution. I could only trigger it with artifical msleep() injected in blkcg_unpin_online().
Fix it by reading the parent pointer before destroying the blkcg's blkg's.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
142- osv-coords137 versionspkg:deb/ubuntu/linux-azure@6.11.0-1010.10?arch=source&distro=oracularpkg:deb/ubuntu/linux-lowlatency@6.11.0-1011.12?arch=source&distro=oracularpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-debug&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-rt_debug&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-coco_debug&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-MICRO-6-0-RT_Update_5&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-livepatch-MICRO-6-0-RT_Update_5&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-MICRO-6-0_Update_5&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-livepatch-MICRO-6-0_Update_5&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP6-RT_Update_8&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_8&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-rt_debug&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-source-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-source-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-syms-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-syms-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6
< 6.11.0-1010.10+ 136 more
- (no CPE)range: < 6.11.0-1010.10
- (no CPE)range: < 6.11.0-1011.12
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 5.14.0-611.5.1.el9_7
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1.150600.12.16.2
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-15061.12.coco15sp6.1
- (no CPE)range: < 6.4.0-15061.12.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.38.1.150600.12.16.2
- (no CPE)range: < 6.4.0-24.1.21.4
- (no CPE)range: < 6.4.0-24.1.21.4
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 1-1.1
- (no CPE)range: < 1-1.1
- (no CPE)range: < 1-1.2
- (no CPE)range: < 1-1.2
- (no CPE)range: < 1-150600.1.3.1
- (no CPE)range: < 1-150600.13.3.2
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-15061.12.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-25.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.8.26.1
- (no CPE)range: < 6.4.0-15061.12.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.38.1
- (no CPE)range: < 6.4.0-150600.10.26.1
- (no CPE)range: < 6.4.0-150600.23.38.1
Patches
Vulnerability mechanics
References
9- git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1adnvdPatch
- git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaab79f791fedaf8nvdPatch
- git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199bcea241ecb0d5cnvdPatch
- git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf08f98e58d3d7afnvdPatch
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
- git.kernel.org/stable/c/83f5a87ee8caa76a917f59912a74d6811f773c67nvd
- git.kernel.org/stable/c/8a07350fe070017a887433f4d6909433955be5f1nvd
- lists.debian.org/debian-lts-announce/2025/03/msg00001.htmlnvd
- lists.debian.org/debian-lts-announce/2025/03/msg00002.htmlnvd
News mentions
0No linked articles in our index yet.