Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-50121

Disclosure Date: November 05, 2024
CVE-2024-50121 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads, the
function nfs4_state_destroy_net in nfs4_state_shutdown_net will
release all resources related to the hashed nfs4_client. If the
nfsd_client_shrinker is running concurrently, the expire_client
function will first unhash this client and then destroy it. This can
lead to the following warning. Additionally, numerous use-after-free
errors may occur as well.

nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads

expire_client nfsd_shutdown_net
unhash_client …

                           nfs4_state_shutdown_net
                             /* won't wait shrinker exit */

/* cancel_work(&nn->nfsd_shrinker_work)

  • nfsd_file for this /* won’t destroy unhashed client1 */

  • client1 still alive nfs4_state_destroy_net
    */

                           nfsd_file_cache_shutdown
                         /* trigger warning */
                         kmem_cache_destroy(nfsd_file_slab)
                         kmem_cache_destroy(nfsd_file_mark_slab)

    /* release nfsd_file and mark */
    __destroy_client

====================================================================
BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on

__kmem_cache_shutdown()

CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

dump_stack_lvl+0x53/0x70
slab_err+0xb0/0xf0
__kmem_cache_shutdown+0x15c/0x310
kmem_cache_destroy+0x66/0x160
nfsd_file_cache_shutdown+0xac/0x210 [nfsd]
nfsd_destroy_serv+0x251/0x2a0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e

====================================================================
BUG nfsd_file_mark (Tainted: G B W ): Objects remaining

nfsd_file_mark on __kmem_cache_shutdown()

dump_stack_lvl+0x53/0x70
slab_err+0xb0/0xf0
__kmem_cache_shutdown+0x15c/0x310
kmem_cache_destroy+0x66/0x160
nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]
nfsd_destroy_serv+0x251/0x2a0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e

To resolve this issue, cancel nfsd_shrinker_work using synchronous
mode in nfs4_state_shutdown_net.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux f67138dd338cb564ade7d3755c8cd4f68b46d397
Linux 5ade4382de16c34d9259cb548f36ec5c4555913c
Linux 36775f42e039b01d4abe8998bf66771a37d3cdcc
Linux f965dc0f099a54fca100acf6909abe52d0c85328
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

Weaknesses

Technical Analysis