CVE-2024-56672

Published: Dic 27, 2024 Last Modified: Nov 03, 2025 EU-VD ID: EUVD-2024-53320

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,0

Source: [email protected]

Attack Vector: local

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

blk-cgroup: Fix UAF in blkcg_unpin_online()

blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To
walk up, it uses blkcg_parent(blkcg) but it was calling that after
blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
following UAF:

==================================================================
BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270
Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117

CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022
Workqueue: cgwb_release cgwb_release_workfn
Call Trace:
<TASK>
dump_stack_lvl+0x27/0x80
print_report+0x151/0x710
kasan_report+0xc0/0x100
blkcg_unpin_online+0x15a/0x270
cgwb_release_workfn+0x194/0x480
process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0
ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
...
Freed by task 1944:
kasan_save_track+0x2b/0x70
kasan_save_free_info+0x3c/0x50
__kasan_slab_free+0x33/0x50
kfree+0x10c/0x330
css_free_rwork_fn+0xe6/0xb30
process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0
ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30

Note that the UAF is not easy to trigger as the free path is indirected
behind a couple RCU grace periods and a work item execution. I could only
trigger it with artifical msleep() injected in blkcg_unpin_online().

Fix it by reading the parent pointer before destroying the blkcg's blkg's.

AI Generated Translation

Nel kernel Linux è stata risolta la seguente vulnerabilità:

blk-cgroup: Correzione di UAF in blkcg_unpin_online()

blkcg_unpin_online() risale la gerarchia di blkcg per rimuovere il pin online. Per farlo, utilizza blkcg_parent(blkcg), ma chiamava questa funzione dopo aver eseguito blkcg_destroy_blkgs(blkcg), che poteva liberare il blkcg, portando al seguente UAF:

==================================================================
BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270
Lettura di dimensione 8 all'indirizzo ffff8881057678c0 da parte del task kworker/9:1/117

CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Non contaminato 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48
Nome hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS sconosciuto 02/02/2022
Workqueue: cgwb_release cgwb_release_workfn
Call Trace:
<TASK>
dump_stack_lvl+0x27/0x80
print_report+0x151/0x710
kasan_report+0xc0/0x100
blkcg_unpin_online+0x15a/0x270
cgwb_release_workfn+0x194/0x480
process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0
ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
...
Liberato dal task 1944:
kasan_save_track+0x2b/0x70
kasan_save_free_info+0x3c/0x50
__kasan_slab_free+0x33/0x50
kfree+0x10c/0x330
css_free_rwork_fn+0xe6/0xb30
process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0
ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30

Si noti che il UAF non è facile da attivare, poiché il percorso di liberazione è indiretto attraverso un paio di periodi di grace RCU e l'esecuzione di un work item. Sono riuscito a triggerarlo solo inserendo artificialmente msleep() in blkcg_unpin_online().

Correggere il problema leggendo il puntatore parent prima di distruggere i blkg del blkcg.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0006

Percentile

0,2th

Updated

EPSS Score Trend (Last 90 Days)

416

Use After Free

Stable

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Confidentiality

Potential Impacts:

Modify Memory Dos: Crash, Exit, Or Restart Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: C, C++, Memory-Unsafe

Likelihood of Exploit: High

View CWE Details

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.7 (inclusive)

To 6.12.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.13

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version 6.13

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 6.2 (inclusive)

To 6.6.67 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Linux Kernel by Linux

Product Information

Vendor Linux

Product Linux Kernel

Version Range Affected

From 5.7 (inclusive)

To 6.1.121 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4…

https://git.kernel.org/stable/c/29d1e06560f0f6179062ac638b4064deb637d1ad

https://git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaa…

https://git.kernel.org/stable/c/5baa28569c924d9a90d036c2aaab79f791fedaf8

https://git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199b…

https://git.kernel.org/stable/c/64afc6fe24c9896c0153e5a199bcea241ecb0d5c

https://git.kernel.org/stable/c/83f5a87ee8caa76a917f59912a7…

https://git.kernel.org/stable/c/83f5a87ee8caa76a917f59912a74d6811f773c67

https://git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf0…

https://git.kernel.org/stable/c/86e6ca55b83c575ab0f2e105cf08f98e58d3d7af

https://git.kernel.org/stable/c/8a07350fe070017a887433f4d69…

https://git.kernel.org/stable/c/8a07350fe070017a887433f4d6909433955be5f1

https://lists.debian.org/debian-lts-announce/2025/03/msg000…

https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

https://lists.debian.org/debian-lts-announce/2025/03/msg000…

https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

CVE-2024-56672

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Use After Free

Common Consequences

Applicable Platforms

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Linux Kernel by Linux

Product Information

Iscriviti alla newsletter