CVE-2024-35979 in Linux
Summary
by MITRE • 05/20/2024
In the Linux kernel, the following vulnerability has been resolved:
raid1: fix use-after-free for original bio in raid1_write_request()
r1_bio->bios[] is used to record new bios that will be issued to
underlying disks, however, in raid1_write_request(), r1_bio->bios[]
will set to the original bio temporarily. Meanwhile, if blocked rdev is set, free_r1bio() will be called causing that all r1_bio->bios[]
to be freed:
raid1_write_request() r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL
for (i = 0; i for each rdev in conf // first rdev is normal r1_bio->bios[0] = bio; -> set to original bio
// second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break
if (blocked_rdev) free_r1bio() put_all_bios() bio_put(r1_bio->bios[0]) -> original bio is freed
Test scripts:
mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean
fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state
Test result:
BUG bio-264 (Not tainted): Object already free -----------------------------------------------------------------------------
Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869 kmem_cache_alloc+0x324/0x480 mempool_alloc_slab+0x24/0x50 mempool_alloc+0x6e/0x220 bio_alloc_bioset+0x1af/0x4d0 blkdev_direct_IO+0x164/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 io_submit_one+0x5ca/0xb70 __do_sys_io_submit+0x86/0x270 __x64_sys_io_submit+0x22/0x30 do_syscall_64+0xb1/0x210 entry_SYSCALL_64_after_hwframe+0x6c/0x74 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869 kmem_cache_free+0x28c/0x550 mempool_free_slab+0x1f/0x30 mempool_free+0x40/0x100 bio_free+0x59/0x80 bio_put+0xf0/0x220 free_r1bio+0x74/0xb0 raid1_make_request+0xadf/0x1150 md_handle_request+0xc7/0x3b0 md_submit_bio+0x76/0x130 __submit_bio+0xd8/0x1d0 submit_bio_noacct_nocheck+0x1eb/0x5c0 submit_bio_noacct+0x169/0xd40 submit_bio+0xee/0x1d0 blkdev_direct_IO+0x322/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0
Since that bios for underlying disks are not allocated yet, fix this problem by using mempool_free() directly to free the r1_bio.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2024
The vulnerability identified as CVE-2024-35979 resides within the Linux kernel's RAID-1 implementation, specifically within the `raid1_write_request()` function. This flaw manifests as a use-after-free condition that occurs when handling write requests in a mirrored RAID configuration. The core issue stems from improper management of bio structures during the processing of RAID write operations, where the original bio reference is temporarily stored in the `r1_bio->bios[]` array before being freed, leading to a scenario where a freed memory object is accessed. The vulnerability impacts the kernel's storage subsystem by creating a potential crash condition and memory corruption when processing I/O requests under specific fault conditions.
The technical root cause of this vulnerability lies in the sequence of operations within `raid1_write_request()` where the `r1_bio->bios[]` array is used to track new bio structures that will be issued to underlying storage devices. During normal operation, the first device in the RAID configuration is processed normally, while subsequent devices may be marked as blocked. When a blocked device is encountered, the function breaks out of its loop and calls `free_r1bio()`, which in turn invokes `put_all_bios()` and subsequently `bio_put()` on the original bio structure that was temporarily stored in `r1_bio->bios[0]`. This results in the original bio being freed while it might still be referenced elsewhere in the execution path, creating a classic use-after-free scenario that violates memory safety principles.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable more serious security implications within kernel memory management. The use-after-free condition can lead to arbitrary code execution if an attacker can control the memory layout or manipulate the timing of operations to exploit the freed memory object. The vulnerability is particularly concerning in high-throughput storage environments where RAID-1 configurations are prevalent, as it can cause system instability and data corruption during concurrent write operations. The specific conditions that trigger this vulnerability involve creating a RAID-1 array with multiple devices, initiating write I/O operations, and then marking one of the underlying devices as blocked, which creates the race condition that leads to the memory corruption.
This vulnerability aligns with CWE-416, which addresses the use of freed memory condition, and is related to the broader category of memory safety issues in kernel space. The flaw demonstrates a failure in proper resource management where the kernel does not adequately track the lifecycle of bio structures during RAID write operations, particularly when dealing with faulted or blocked devices. The fix implemented in the kernel resolves this by using direct `mempool_free()` calls instead of the standard `bio_put()` mechanism for freeing the `r1_bio` structure, ensuring that the memory management occurs correctly without prematurely releasing the original bio reference. The vulnerability also connects to ATT&CK technique T1068, which covers "Exploitation for Privilege Escalation," as memory corruption vulnerabilities in kernel space can potentially be exploited to gain elevated privileges. The test scenario described in the CVE demonstrates how the vulnerability can be triggered through standard RAID configuration and I/O workload generation, making it a realistic threat in production systems. The fix ensures proper memory lifecycle management and prevents the premature deallocation of bio structures, thereby maintaining the integrity of the kernel's storage subsystem and preventing potential exploitation.