CVE-2024-56547

Published: Dic 27, 2024 Last Modified: Ott 08, 2025 EU-VD ID: EUVD-2024-53195

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,7

Source: [email protected]

Attack Vector: local

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

rcu/nocb: Fix missed RCU barrier on deoffloading

Currently, running rcutorture test with torture_type=rcu fwd_progress=8
n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60
test_boost=2, will trigger the following warning:

WARNING: CPU: 19 PID: 100 at kernel/rcu/tree_nocb.h:1061 rcu_nocb_rdp_deoffload+0x292/0x2a0
RIP: 0010:rcu_nocb_rdp_deoffload+0x292/0x2a0
Call Trace:
<TASK>
? __warn+0x7e/0x120
? rcu_nocb_rdp_deoffload+0x292/0x2a0
? report_bug+0x18e/0x1a0
? handle_bug+0x3d/0x70
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? rcu_nocb_rdp_deoffload+0x292/0x2a0
rcu_nocb_cpu_deoffload+0x70/0xa0
rcu_nocb_toggle+0x136/0x1c0
? __pfx_rcu_nocb_toggle+0x10/0x10
kthread+0xd1/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>

CPU0 CPU2 CPU3
//rcu_nocb_toggle //nocb_cb_wait //rcutorture

// deoffload CPU1 // process CPU1's rdp
rcu_barrier()
rcu_segcblist_entrain()
rcu_segcblist_add_len(1);
// len == 2
// enqueue barrier
// callback to CPU1's
// rdp->cblist
rcu_do_batch()
// invoke CPU1's rdp->cblist
// callback
rcu_barrier_callback()
rcu_barrier()
mutex_lock(&rcu_state.barrier_mutex);
// still see len == 2
// enqueue barrier callback
// to CPU1's rdp->cblist
rcu_segcblist_entrain()
rcu_segcblist_add_len(1);
// len == 3
// decrement len
rcu_segcblist_add_len(-2);
kthread_parkme()

// CPU1's rdp->cblist len == 1
// Warn because there is
// still a pending barrier
// trigger warning
WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));
cpus_read_unlock();

// wait CPU1 to comes online and
// invoke barrier callback on
// CPU1 rdp's->cblist
wait_for_completion(&rcu_state.barrier_completion);
// deoffload CPU4
cpus_read_lock()
rcu_barrier()
mutex_lock(&rcu_state.barrier_mutex);
// block on barrier_mutex
// wait rcu_barrier() on
// CPU3 to unlock barrier_mutex
// but CPU3 unlock barrier_mutex
// need to wait CPU1 comes online
// when CPU1 going online will block on cpus_write_lock

The above scenario will not only trigger a WARN_ON_ONCE(), but also
trigger a deadlock.

Thanks to nocb locking, a second racing rcu_barrier() on an offline CPU
will either observe the decremented callback counter down to 0 and spare
the callback enqueue, or rcuo will observe the new callback and keep
rdp->nocb_cb_sleep to false.

Therefore check rdp->nocb_cb_sleep before parking to make sure no
further rcu_barrier() is waiting on the rdp.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

rcu/nocb: Correzione del mancato RCU barrier durante il deoffloading

Attualmente, eseguendo il test rcutorture con torture_type=rcu fwd_progress=8 n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60 test_boost=2, si verifica il seguente avviso:

CPU0 CPU2 CPU3
//rcu_nocb_toggle //nocb_cb_wait //rcutorture

// deoffload CPU1 // process CPU1's rdp
rcu_barrier()
rcu_segcblist_entrain()
rcu_segcblist_add_len(1);
// len == 2
// enqueue barrier
// callback to CPU1's
// rdp->cblist
rcu_do_batch()
// invoke CPU1's rdp->cblist
// callback
rcu_barrier_callback()
rcu_barrier()
mutex_lock(&rcu_state.barrier_mutex);
// si vede ancora len == 2
// enqueue barrier callback
// su rdp->cblist di CPU1
rcu_segcblist_entrain()
rcu_segcblist_add_len(1);
// len == 3
// decrementa len
rcu_segcblist_add_len(-2);
kthread_parkme()

// rdp->cblist di CPU1 len == 1
// Si avvisa perché c'è
// ancora un barrier pendente
// si genera un warning
WARN_ON_ONCE(rcu_segcblist_n_cbs(&rdp->cblist));
cpus_read_unlock();

// si attende che CPU1 venga online e
// invochi il callback di barrier su
// rdp->cblist di CPU1
wait_for_completion(&rcu_state.barrier_completion);
// deoffload CPU4
cpus_read_lock()
rcu_barrier()
mutex_lock(&rcu_state.barrier_mutex);
// blocco su barrier_mutex
// attendo che rcu_barrier() su
// CPU3 sblocchi barrier_mutex
// ma CPU3 sblocca barrier_mutex
// bisogna attendere che CPU1 venga online
// quando CPU1 si mette online bloccherà su cpus_write_lock

Lo scenario sopra descritto non solo genera un WARN_ON_ONCE(), ma può anche
portare a un deadlock.

Grazie alla locking nocb, un secondo rcu_barrier() in competizione su una CPU offline
osserverà o il decremento del contatore dei callback fino a 0, evitando di mettere in coda ulteriori callback,
oppure rcuo osserverà il nuovo callback e manterrà rdp->nocb_cb_sleep a false.

Pertanto, è importante verificare rdp->nocb_cb_sleep prima di mettere in pausa la CPU, per assicurarsi che nessun altro rcu_barrier() sia in attesa su rdp.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0003

Percentile

0,1th

Updated

EPSS Score Trend (Last 90 Days)

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.12 (inclusive)

To 6.12.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/224b62028959858294789772d37…

https://git.kernel.org/stable/c/224b62028959858294789772d372dcb36cf5f820

https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b34…

https://git.kernel.org/stable/c/2996980e20b7a54a1869df15b3445374b850b155

CVE-2024-56547

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter