发布时间: 2024年7月26日
修改时间: 2024年8月13日
In the Linux kernel, the following vulnerability has been resolved:btrfs: zoned: fix use-after-free due to race with dev replaceWhile loading a zone s info during creation of a block group, we can racewith a device replace operation and then trigger a use-after-free on thedevice that was just replaced (source device of the replace operation).This happens because at btrfs_load_zone_info() we extract a device fromthe chunk map into a local variable and then use the device while notunder the protection of the device replace rwsem. So if there s a devicereplace operation happening when we extract the device and that deviceis the source of the replace operation, we will trigger a use-after-freeif before we finish using the device the replace operation finishes andfrees the device.Fix this by enlarging the critical section under the protection of thedevice replace rwsem so that all uses of the device are done inside thecritical section.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 7.8 | 7.0 |
| Attack Vector | Local | Local |
| Attack Complexity | Low | High |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | High | High |
| Integrity | High | High |
| Availability | High | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-3216 | In the Linux kernel, the following vulnerability has been resolved:btrfs: zoned: fix use-after-free due to race with dev replaceWhile loading a zone s info during creation of a block group, we can racewith a device replace operation and then trigger a use-after-free on thedevice that was just replaced (source device of the replace operation).This happens because at btrfs_load_zone_info() we extract a device fromthe chunk map into a local variable and then use the device while notunder the protection of the device replace rwsem. So if there s a devicereplace operation happening when we extract the device and that deviceis the source of the replace operation, we will trigger a use-after-freeif before we finish using the device the replace operation finishes andfrees the device.Fix this by enlarging the critical section under the protection of thedevice replace rwsem so that all uses of the device are done inside thecritical section. | 2024年7月26日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | kernel | Unaffected |
| KY3.5.2 | kernel | Unaffected |
| V6 | kernel | Fixed |
