CVE-2024-27058

Summary

In the Linux kernel, the following vulnerability has been resolved:

tmpfs: fix race on handling dquot rbtree

A syzkaller reproducer found a race while attempting to remove dquot information from the rb tree.

Fetching the rb_tree root node must also be protected by the dqopt->dqio_sem, otherwise, giving the right timing, shmem_release_dquot() will trigger a warning because it couldn't find a node in the tree, when the real reason was the root node changing before the search starts:

Thread 1 Thread 2

  • shmem_release_dquot() - shmem_{acquire,release}_dquot()

  • fetch ROOT - Fetch ROOT

      			- acquire dqio_sem
    
  • wait dqio_sem

      			- do something, triger a tree rebalance
      			- release dqio_sem
    
  • acquire dqio_sem

  • start searching for the node, but from the wrong location, missing the node, and triggering a warning.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxeafc474e202978ac735c551d5ee1eb8c02e2be54 < c7077f43f30d817d10a9f8245e51576ac114b2f0affected
LinuxLinuxeafc474e202978ac735c551d5ee1eb8c02e2be54 < 617d55b90e73c7b4aa2733ca6cc3f9b72d1124bbaffected
LinuxLinuxeafc474e202978ac735c551d5ee1eb8c02e2be54 < f82f184874d2761ebaa60dccf577921a0dbb3810affected
LinuxLinuxeafc474e202978ac735c551d5ee1eb8c02e2be54 < 0a69b6b3a026543bc215ccc866d0aea5579e6ce2affected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.6.24 <= 6.6.*unaffected
LinuxLinux6.7.12 <= 6.7.*unaffected
LinuxLinux6.8.3 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References