CVE-2024-42232
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix race between delayed_work() and ceph_monc_stop()
The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs – __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused.
To fix this:
- clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop()
- bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting)
- call cancel_delayed_work_sync() after the session is closed
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 1177afeca833174ba83504688eec898c6214f4bf | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 63e5d035e3a7ab7412a008f202633c5e6a0a28ea | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 34b76d1922e41da1fa73d43b764cddd82ac9733c | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 20cf67dcb7db842f941eff1af6ee5e9dc41796d7 | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 2d33654d40a05afd91ab24c9a73ab512a0670a9a | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 9525af1f58f67df387768770fcf6d6a8f23aee3d | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 33d38c5da17f8db2d80e811b7829d2822c10625e | affected |
| Linux | Linux | 0e04dc26cc594d31ee6b1382b452b6bc83b57937 < 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 | affected |
| Linux | Linux | 4.6 | affected |
| Linux | Linux | 0 < 4.6 | unaffected |
| Linux | Linux | 4.19.318 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.280 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.222 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.163 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.100 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.41 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.10 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf
- https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea
- https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c
- https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7
- https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a
- https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d
- https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e
- https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.