Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2024-26757

Disclosure Date: April 03, 2024
CVE-2024-26757
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

md: Don’t ignore read-only array in md_check_recovery()

Usually if the array is not read-write, md_check_recovery() won’t
register new sync_thread in the first place. And if the array is
read-write and sync_thread is registered, md_set_readonly() will
unregister sync_thread before setting the array read-only. md/raid
follow this behavior hence there is no problem.

After commit f52f5c71f3d4 (“md: fix stopping sync thread”), following
hang can be triggered by test shell/integrity-caching.sh:

  1. array is read-only. dm-raid update super block:
    rs_update_sbs
    ro = mddev->ro
    mddev->ro = 0
    –> set array read-write
    md_update_sb

  2. register new sync thread concurrently.

  3. dm-raid set array back to read-only:
    rs_update_sbs
    mddev->ro = ro

  4. stop the array:
    raid_dtr
    md_stop
    stop_sync_thread
    set_bit(MD_RECOVERY_INTR, &mddev->recovery);
    md_wakeup_thread_directly(mddev->sync_thread);
    wait_event(…, !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))

  5. sync thread done:
    md_do_sync
    set_bit(MD_RECOVERY_DONE, &mddev->recovery);
    md_wakeup_thread(mddev->thread);

  6. daemon thread can’t unregister sync thread:
    md_check_recovery
    if (!md_is_rdwr(mddev) &&
    !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))
    return;
    –> –> MD_RECOVERY_RUNNING can’t be cleared, hence step 4 hang;

The root cause is that dm-raid manipulate ‘mddev->ro’ by itself,
however, dm-raid really should stop sync thread before setting the
array read-only. Unfortunately, I need to read more code before I
can refacter the handler of ‘mddev->ro’ in dm-raid, hence let’s fix
the problem the easy way for now to prevent dm-raid regression.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux 2ea169c5a0b1
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Linux

Products

  • Linux

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis