CVE-2024-42149

{"id": "CVE-2024-42149", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-30T08:15:06.543", "references": [{"url": "https://git.kernel.org/stable/c/25b1e3906e050d452427bc51620bb7f0a591373a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2ae4db5647d807efb6a87c09efaa6d1db9c905d7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/25b1e3906e050d452427bc51620bb7f0a591373a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/2ae4db5647d807efb6a87c09efaa6d1db9c905d7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: don't misleadingly warn during thaw operations\n\nThe block device may have been frozen before it was claimed by a\nfilesystem. Concurrently another process might try to mount that\nfrozen block device and has temporarily claimed the block device for\nthat purpose causing a concurrent fs_bdev_thaw() to end up here. The\nmounter is already about to abort mounting because they still saw an\nelevanted bdev->bd_fsfreeze_count so get_bdev_super() will return\nNULL in that case.\n\nFor example, P1 calls dm_suspend() which calls into bdev_freeze() before\nthe block device has been claimed by the filesystem. This brings\nbdev->bd_fsfreeze_count to 1 and no call into fs_bdev_freeze() is\nrequired.\n\nNow P2 tries to mount that frozen block device. It claims it and checks\nbdev->bd_fsfreeze_count. As it's elevated it aborts mounting.\n\nIn the meantime P3 called dm_resume(). P3 sees that the block device is\nalready claimed by a filesystem and calls into fs_bdev_thaw().\n\nP3 takes a passive reference and realizes that the filesystem isn't\nready yet. P3 puts itself to sleep to wait for the filesystem to become\nready.\n\nP2 now puts the last active reference to the filesystem and marks it as\ndying. P3 gets woken, sees that the filesystem is dying and\nget_bdev_super() fails."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fs: no advierta de manera enga\u00f1osa durante las operaciones de descongelaci\u00f3n. Es posible que el dispositivo de bloque se haya congelado antes de que un sistema de archivos lo reclamara. Al mismo tiempo, otro proceso podr\u00eda intentar montar ese dispositivo de bloque congelado y ha reclamado temporalmente el dispositivo de bloque para ese prop\u00f3sito, lo que provoca que un fs_bdev_thaw() concurrente termine aqu\u00ed. El montador ya est\u00e1 a punto de cancelar el montaje porque todav\u00eda vio un bdev->bd_fsfreeze_count elevado, por lo que get_bdev_super() devolver\u00e1 NULL en ese caso. Por ejemplo, P1 llama a dm_suspend(), que llama a bdev_freeze() antes de que el sistema de archivos haya reclamado el dispositivo de bloque. Esto lleva bdev->bd_fsfreeze_count a 1 y no se requiere ninguna llamada a fs_bdev_freeze(). Ahora P2 intenta montar ese dispositivo de bloque congelado. Lo reclama y comprueba bdev->bd_fsfreeze_count. Al estar elevado se aborta el montaje. Mientras tanto, P3 llam\u00f3 a dm_resume(). P3 ve que el dispositivo de bloque ya est\u00e1 reclamado por un sistema de archivos y llama a fs_bdev_thaw(). P3 toma una referencia pasiva y se da cuenta de que el sistema de archivos a\u00fan no est\u00e1 listo. P3 se pone en modo de suspensi\u00f3n para esperar a que el sistema de archivos est\u00e9 listo. P2 ahora coloca la \u00faltima referencia activa al sistema de archivos y lo marca como moribundo. P3 se despierta, ve que el sistema de archivos est\u00e1 muriendo y get_bdev_super() falla."}], "lastModified": "2024-12-09T23:05:27.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5726EB4D-ED18-4DEC-B0C0-A525D33487E1", "versionEndExcluding": "6.9.9", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79F18AFA-40F7-43F0-BA30-7BDB65F918B9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD973AA4-A789-49BD-8D57-B2846935D3C7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F3E9E0C-AC3E-4967-AF80-6483E8AB0078"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}