Ubuntu: (Multiple Advisories) (CVE-2024-40998): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-40998): Linux kernel vulnerabilities

Severity

4

CVSS

(AV:L/AC:M/Au:N/C:P/I:P/A:P)

Published

07/12/2024

Created

09/13/2024

Added

09/12/2024

Modified

09/25/2024

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval)// do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.

Solution(s)

• ubuntu-upgrade-linux-image-6-8-0-1010-gke
• ubuntu-upgrade-linux-image-6-8-0-1011-raspi
• ubuntu-upgrade-linux-image-6-8-0-1012-ibm
• ubuntu-upgrade-linux-image-6-8-0-1012-oem
• ubuntu-upgrade-linux-image-6-8-0-1012-oracle
• ubuntu-upgrade-linux-image-6-8-0-1012-oracle-64k
• ubuntu-upgrade-linux-image-6-8-0-1013-nvidia
• ubuntu-upgrade-linux-image-6-8-0-1013-nvidia-64k
• ubuntu-upgrade-linux-image-6-8-0-1013-nvidia-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-1013-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-6-8-0-1014-azure
• ubuntu-upgrade-linux-image-6-8-0-1014-azure-fde
• ubuntu-upgrade-linux-image-6-8-0-1014-gcp
• ubuntu-upgrade-linux-image-6-8-0-1015-aws
• ubuntu-upgrade-linux-image-6-8-0-44-generic
• ubuntu-upgrade-linux-image-6-8-0-44-generic-64k
• ubuntu-upgrade-linux-image-6-8-0-44-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-44-lowlatency-64k
• ubuntu-upgrade-linux-image-6-8-0-45-generic
• ubuntu-upgrade-linux-image-6-8-0-45-generic-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-fde
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-22-04
• ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
• ubuntu-upgrade-linux-image-generic-hwe-22-04
• ubuntu-upgrade-linux-image-generic-hwe-24-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-ibm-classic
• ubuntu-upgrade-linux-image-ibm-lts-24-04
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-22-04
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-6-8
• ubuntu-upgrade-linux-image-nvidia-64k
• ubuntu-upgrade-linux-image-nvidia-64k-6-8
• ubuntu-upgrade-linux-image-nvidia-lowlatency
• ubuntu-upgrade-linux-image-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-oem-22-04
• ubuntu-upgrade-linux-image-oem-22-04a
• ubuntu-upgrade-linux-image-oem-22-04b
• ubuntu-upgrade-linux-image-oem-22-04c
• ubuntu-upgrade-linux-image-oem-22-04d
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-64k
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-22-04
• ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

• https://attackerkb.com/topics/cve-2024-40998
• CVE - 2024-40998
• USN-6999-1
• USN-6999-2
• USN-7004-1
• USN-7005-1
• USN-7005-2
• USN-7008-1
• USN-7029-1

View more