CVE-2024-47706 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix possible UAF for bfqq->bic with merge chain

1) initial state, three tasks:

Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1

2) bfqq1 merged to bfqq2:

Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1

3) bfqq2 merged to bfqq3:

Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3

In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1.

bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2

__bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3

Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible):

================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595

CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline]
print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline]
bfq_insert_request block/bfq-iosched.c:6254 [inline]
bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305

Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3458 [inline]
kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline]
---truncated---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability described in CVE-2024-47706 affects the Linux kernel's Block I/O scheduler, specifically within the Budget Fair Queueing (BFQ) implementation. This issue represents a use-after-free condition that arises from improper handling of bfqq (BFQ queue) references during I/O request processing, particularly when queues are merged through a chain. The flaw manifests during the execution of bfq_insert_request, where a queue that has been merged into another queue is incorrectly associated with its original BIC (Block I/O Control) structure, leading to a stale reference that can be freed and subsequently accessed. This mismanagement occurs because the code fails to properly identify whether a queue originates from a merge chain, resulting in a situation where a freed queue structure is still referenced by a BIC, creating a potential vector for memory corruption and system instability.

The technical root cause lies in the bfq_get_bfqq_handle_split function and its interaction with bfqq merge operations, which are governed by the BFQ scheduler's cooperative queue management logic. When a bfqq undergoes a merge operation, the reference counting mechanism becomes inconsistent, particularly when bfqq2 is merged into bfqq3 through a chain. During the insertion of a new request, the kernel incorrectly assumes that bfqq2 is still owned by BIC1, despite the fact that it has been merged into bfqq3 and should no longer be directly associated with BIC1. This inconsistency leads to a double-free scenario or access to freed memory when the system attempts to process I/O requests through the merged queue chain. The KASAN (Kernel Address Sanitizer) report confirms the presence of a slab-use-after-free error at bfq_do_early_stable_merge, indicating that the kernel's memory management has detected an attempt to access memory that has already been freed. The vulnerability aligns with CWE-416, Use After Free, and can be categorized under ATT&CK technique T1068, Exploitation for Privilege Escalation, as it could potentially allow an attacker to manipulate memory contents or trigger denial-of-service conditions.

The operational impact of this vulnerability extends to system stability and reliability, particularly in environments where high I/O workloads are common, such as storage servers or database systems using BFQ as their I/O scheduler. When triggered, the vulnerability can lead to kernel panics, system crashes, or unpredictable behavior due to memory corruption. The reported syzkaller bug demonstrates that this issue is not merely theoretical but has been observed in practice, suggesting that it could be exploited by malicious actors or occur under specific workload conditions. The vulnerability affects systems running Linux kernel versions that include the BFQ scheduler, particularly those utilizing the block layer's I/O request handling mechanisms. Mitigation efforts should focus on ensuring that the kernel is updated to a patched version that correctly handles queue merging and reference counting in the BFQ scheduler. Additionally, system administrators should monitor for potential crashes or instability in I/O-intensive workloads, as the vulnerability may not always manifest immediately but could lead to system corruption over time. The fix implemented addresses the core issue by checking whether a bfqq originates from a merge chain before associating it with a BIC, thereby preventing the stale reference that leads to the use-after-free condition.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00236

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!