CVE-2024-35979

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35979
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35979.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-35979
Downstream
Related
Published
2024-05-20T09:42:04Z
Modified
2025-10-09T09:22:57.427156Z
Summary
raid1: fix use-after-free for original bio in raid1_write_request()
Details

In the Linux kernel, the following vulnerability has been resolved:

raid1: fix use-after-free for original bio in raid1writerequest()

r1bio->bios[] is used to record new bios that will be issued to underlying disks, however, in raid1writerequest(), r1bio->bios[] will set to the original bio temporarily. Meanwhile, if blocked rdev is set, freer1bio() will be called causing that all r1bio->bios[] to be freed:

raid1writerequest() r1bio = allocr1bio(mddev, bio); -> r1bio->bios[] is NULL for (i = 0; i < disks; i++) -> for each rdev in conf // first rdev is normal r1bio->bios[0] = bio; -> set to original bio // second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break

if (blockedrdev) freer1bio() putallbios() bioput(r1bio->bios[0]) -> original bio is freed

Test scripts:

mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state

Test result:

BUG bio-264 (Not tainted): Object already free

Allocated in mempoolallocslab+0x24/0x50 age=1 cpu=1 pid=869 kmemcachealloc+0x324/0x480 mempoolallocslab+0x24/0x50 mempoolalloc+0x6e/0x220 bioallocbioset+0x1af/0x4d0 blkdevdirectIO+0x164/0x8a0 blkdevwriteiter+0x309/0x440 aiowrite+0x139/0x2f0 iosubmitone+0x5ca/0xb70 _dosysiosubmit+0x86/0x270 _x64sysiosubmit+0x22/0x30 dosyscall64+0xb1/0x210 entrySYSCALL64afterhwframe+0x6c/0x74 Freed in mempoolfreeslab+0x1f/0x30 age=1 cpu=1 pid=869 kmemcachefree+0x28c/0x550 mempoolfreeslab+0x1f/0x30 mempoolfree+0x40/0x100 biofree+0x59/0x80 bioput+0xf0/0x220 freer1bio+0x74/0xb0 raid1makerequest+0xadf/0x1150 mdhandlerequest+0xc7/0x3b0 mdsubmitbio+0x76/0x130 _submitbio+0xd8/0x1d0 submitbionoacctnocheck+0x1eb/0x5c0 submitbionoacct+0x169/0xd40 submitbio+0xee/0x1d0 blkdevdirectIO+0x322/0x8a0 blkdevwriteiter+0x309/0x440 aio_write+0x139/0x2f0

Since that bios for underlying disks are not allocated yet, fix this problem by using mempoolfree() directly to free the r1bio.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
992db13a4aee766c8bfbf046ad15c2db5fa7cab8
Fixed
3f28d49a328fe20926995d5fbdc92da665596268
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
992db13a4aee766c8bfbf046ad15c2db5fa7cab8
Fixed
f423f41b7679c09abb26d2bd54be5cbef23c9446
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
992db13a4aee766c8bfbf046ad15c2db5fa7cab8
Fixed
fcf3f7e2fc8a53a6140beee46ec782a4c88e4744

Affected versions

v6.*

v6.5
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.28
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.7