CVE-2024-56693

HIGH EPSS 14.8%
Published Dec 28, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Dec 28, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: brd: defer automatic disk creation until module initialization succeeds My colleague Wupeng found the following problems during fault injection: BUG: unable to handle page fault for address: fffffbfff809d073 PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__asan_load8+0x4c/0xa0 ... Call Trace: <TASK> blkdev_put_whole+0x41/0x70 bdev_release+0x1a3/0x250 blkdev_release+0x11/0x20 __fput+0x1d7/0x4a0 task_work_run+0xfc/0x180 syscall_exit_to_user_mode+0x1de/0x1f0 do_syscall_64+0x6b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e loop_init() is calling loop_add() after __register_blkdev() succeeds and is ignoring disk_add() failure from loop_add(), for loop_add() failure is not fatal and successfully created disks are already visible to bdev_open(). brd_init() is currently calling brd_alloc() before __register_blkdev() succeeds and is releasing successfully created disks when brd_init() returns an error. This can cause UAF for the latter two case: case 1: T1: modprobe brd brd_init brd_alloc(0) // success add_disk disk_scan_partitions bdev_file_open_by_dev // alloc file fput // won't free until back to userspace brd_alloc(1) // failed since mem alloc error inject // error path for modprobe will release code segment // back to userspace __fput blkdev_release bdev_release blkdev_put_whole bdev->bd_disk->fops->release // fops is freed now, UAF! case 2: T1: T2: modprobe brd brd_init brd_alloc(0) // success open(/dev/ram0) brd_alloc(1) // fail // error path for modprobe close(/dev/ram0) ... /* UAF! */ bdev->bd_disk->fops->release Fix this problem by following what loop_init() does. Besides, reintroduce brd_devices_mutex to help serialize modifications to brd_list.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
14.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥5.14  –  <5.15.174
linuxlinux_kernel*≥5.16  –  <6.1.120
linuxlinux_kernel*≥6.2  –  <6.6.64
linuxlinux_kernel*≥6.7  –  <6.11.11
linuxlinux_kernel*≥6.12  –  <6.12.2

References 7

  • git.kernel.org https://git.kernel.org/stable/c/259bf925583ec9e3781df778cadf00594095090d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/410896624db639500f24f46478b4bfa05c76bf56
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/41219c147df8bbd6591f59af5d695fb6c9a1cbff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/63dfd728b30f79495dacc886127695a379805152
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/826cc42adf44930a633d11a5993676d85ddb0842
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0c2744cd2939ec5999c51dbaf2af16886548b7b
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/259bf925583ec9e3781df778cadf00594095090d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/410896624db639500f24f46478b4bfa05c76bf56
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/41219c147df8bbd6591f59af5d695fb6c9a1cbff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/63dfd728b30f79495dacc886127695a379805152
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/826cc42adf44930a633d11a5993676d85ddb0842
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c0c2744cd2939ec5999c51dbaf2af16886548b7b
    Patch