CVE-2024-26868

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26868
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26868.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26868
Related
Published
2024-04-17T11:15:09Z
Modified
2024-09-11T05:03:34.399872Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

nfs: fix panic when nfs4fflayoutprepareds() fails

We've been seeing the following panic in production

BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:fflayoutcancelio+0x3a/0x90 [nfslayoutflexfiles] Call Trace: <TASK> ? _die+0x78/0xc0 ? pagefaultoops+0x286/0x380 ? _rpcexecute+0x2c3/0x470 [sunrpc] ? rpcnewtask+0x42/0x1c0 [sunrpc] ? excpagefault+0x5d/0x110 ? asmexcpagefault+0x22/0x30 ? fflayoutfreelayoutreturn+0x110/0x110 [nfslayoutflexfiles] ? fflayoutcancelio+0x3a/0x90 [nfslayoutflexfiles] ? fflayoutcancelio+0x6f/0x90 [nfslayoutflexfiles] pnfsmarkmatchinglsegsreturn+0x1b0/0x360 [nfsv4] pnfserrormarklayoutforreturn+0x9e/0x110 [nfsv4] ? fflayoutsendlayouterror+0x50/0x160 [nfslayoutflexfiles] nfs4fflayoutprepareds+0x11f/0x290 [nfslayoutflexfiles] fflayoutpginitwrite+0xf0/0x1f0 [nfslayoutflexfiles] _nfspageioaddrequest+0x154/0x6c0 [nfs] nfspageioaddrequest+0x26b/0x380 [nfs] nfsdowritepage+0x111/0x1e0 [nfs] nfswritepagescallback+0xf/0x30 [nfs] writecachepages+0x17f/0x380 ? nfspageioinitwrite+0x50/0x50 [nfs] ? nfswritepages+0x6d/0x210 [nfs] ? nfswritepages+0x6d/0x210 [nfs] nfswritepages+0x125/0x210 [nfs] dowritepages+0x67/0x220 ? genericperformwrite+0x14b/0x210 filemapfdatawritewbc+0x5b/0x80 filewriteandwaitrange+0x6d/0xc0 nfsfilefsync+0x81/0x170 [nfs] ? nfsfilemmap+0x60/0x60 [nfs] _x64sysfsync+0x53/0x90 dosyscall64+0x3d/0x90 entrySYSCALL64after_hwframe+0x46/0xb0

Inspecting the core with drgn I was able to pull this

prog.crashedthread().stacktrace()[0] #0 at 0xffffffffa079657a (fflayoutcancelio+0x3a/0x84) in fflayoutcancelio at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 prog.crashedthread().stacktrace()[0]['idx'] (u32)1 prog.crashedthread().stacktrace()[0]['flseg'].mirrorarray[1].mirrords (struct nfs4fflayout_ds *)0xffffffffffffffed

This is clear from the stack trace, we call nfs4fflayoutprepareds() which could error out initializing the mirrords, and then we go to clean it all up and our check is only for if (!mirror->mirrords). This is inconsistent with the rest of the users of mirror_ds, which have

if (ISERRORNULL(mirrords))

to keep from tripping over this exact scenario. Fix this up in fflayoutcancelio() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirrords and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.85-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.12-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}