CVE-2024-56631
- Source
- https://cve.org/CVERecord?id=CVE-2024-56631
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56631.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-56631
- Downstream
- Related
- Published
- 2024-12-27T15:02:29.428Z
- Modified
- 2026-03-20T12:40:55.335356Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- scsi: sg: Fix slab-use-after-free read in sg_release()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Fix slab-use-after-free read in sg_release()
Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 _mutexunlockslowpath+0xe2/0x750 kernel/locking/mutex.c:912 sgrelease+0x1f4/0x2e0 drivers/scsi/sg.c:407
In sgrelease(), the function krefput(&sfp->fref, sgremovesfp) is called before releasing the openrellock mutex. The krefput() call may decrement the reference count of sfp to zero, triggering its cleanup through sgremovesfp(). This cleanup includes scheduling deferred work via sgremovesfp_usercontext(), which ultimately frees sfp.
After krefput(), sgrelease() continues to unlock openrellock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error.
Move the krefput(&sfp->fref, sgremovesfp) call after unlocking the openrellock mutex. This ensures:
No references to sfp or sdp occur after the reference count is decremented.
Cleanup functions such as sgremovesfp() and sgremovesfpusercontext() can safely execute without impacting the mutex handling in sgrelease().
The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release().
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56631.json" }- References
-
- https://git.kernel.org/stable/c/198b89dd5a595ee3f96e5ce5c448b0484cd0e53c
- https://git.kernel.org/stable/c/1f5e2f1ca5875728fcf62bc1a054707444ab4960
- https://git.kernel.org/stable/c/275b8347e21ab8193e93223a8394a806e4ba8918
- https://git.kernel.org/stable/c/285ce1f89f8d414e7eecab5ef5118cd512596318
- https://git.kernel.org/stable/c/59b30afa578637169e2819536bb66459fdddc39d
- https://git.kernel.org/stable/c/e19acb1926c4a1f30ee1ec84d8afba2d975bd534
- https://git.kernel.org/stable/c/f10593ad9bc36921f623361c9e3dd96bd52d85ee
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56631.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-56631
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcc833acbee9db5ca8c6162b015b4c93863c6f821Fixede19acb1926c4a1f30ee1ec84d8afba2d975bd534Fixed285ce1f89f8d414e7eecab5ef5118cd512596318Fixed198b89dd5a595ee3f96e5ce5c448b0484cd0e53cFixed275b8347e21ab8193e93223a8394a806e4ba8918Fixed59b30afa578637169e2819536bb66459fdddc39dFixed1f5e2f1ca5875728fcf62bc1a054707444ab4960Fixedf10593ad9bc36921f623361c9e3dd96bd52d85ee
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected3a27c0defb0315760100f8b1adc7c4acbe04c884