Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-36478

Disclosure Date: June 21, 2024 •

CVE-2024-36478 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

null_blk: fix null-ptr-dereference while configuring ‘power’ and ‘submit_queues’

Writing ‘power’ and ‘submit_queues’ concurrently will trigger kernel
panic:

Test script:

modprobe null_blk nr_devices=0
mkdir -p /sys/kernel/config/nullb/nullb0
while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
while true; do echo 1 > power; echo 0 > power; done

Test result:

BUG: kernel NULL pointer dereference, address: 0000000000000148
Oops: 0000 [#1] PREEMPT SMP
RIP: 0010:__lock_acquire+0x41d/0x28f0
Call Trace:
<TASK>
lock_acquire+0x121/0x450
down_write+0x5f/0x1d0
simple_recursive_removal+0x12f/0x5c0
blk_mq_debugfs_unregister_hctxs+0x7c/0x100
blk_mq_update_nr_hw_queues+0x4a3/0x720
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
configfs_write_iter+0x119/0x1e0
vfs_write+0x326/0x730
ksys_write+0x74/0x150

This is because del_gendisk() can concurrent with
blk_mq_update_nr_hw_queues():

nullb_device_power_store nullb_apply_submit_queues
null_del_dev
del_gendisk

			 nullb_update_nr_hw_queues
			  if (!dev->nullb)
			  // still set while gendisk is deleted
			   return 0
			  blk_mq_update_nr_hw_queues

dev->nullb = NULL

Fix this problem by resuing the global mutex to protect
nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

linux

Products

linux kernel

References

Canonical

CVE-2024-36478 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36478)

Miscellaneous

https://git.kernel.org/stable/c/5d0495473ee4c1d041b5a917f10446a22c047f47

https://git.kernel.org/stable/c/a2db328b0839312c169eb42746ec46fc1ab53ed2

https://git.kernel.org/stable/c/aaadb755f2d684f715a6eb85cb7243aa0c67dfa9

https://git.kernel.org/stable/c/1d4c8baef435c98e8d5aa7027dc5a9f70834ba16

Rapid7

Unknown

CVE-2024-36478

Unknown

Unknown

None

Low

Local

CVE-2024-36478

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-36478

Unknown

Unknown

None

Low

Local

CVE-2024-36478

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification