CVE-2024-47733 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

netfs: Delete subtree of 'fs/netfs' when netfs module exits

In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs', but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without deleting its subtree. This triggers the following WARNING:

================================================================== remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests' WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0 Modules linked in: netfs(-) CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860 RIP: 0010:remove_proc_entry+0x160/0x1c0 Call Trace: netfs_exit+0x12/0x620 [netfs]
__do_sys_delete_module.isra.0+0x14c/0x2e0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================

Therefore use remove_proc_subtree() instead of remove_proc_entry() to fix the above problem.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability identified as CVE-2024-47733 resides within the Linux kernel's netfs subsystem, specifically concerning improper cleanup of proc filesystem entries during module termination. This issue manifests when the netfs module is unloaded, creating a scenario where the kernel's proc filesystem management becomes inconsistent and potentially leads to resource leaks. The problem originates from the netfs_init() and fscache_proc_init() functions which establish dentry entries under the '/fs/netfs' directory hierarchy. During normal module operation, these entries are properly created and maintained, but during the exit sequence through netfs_exit(), only the top-level proc entry is removed while its subdirectory contents remain intact, resulting in a non-empty directory structure that violates kernel filesystem consistency requirements.

The technical flaw stems from the improper use of kernel proc filesystem APIs during module cleanup operations. When the netfs module exits, the code invokes remove_proc_entry() to delete the 'fs/netfs' directory entry, but this function only removes the specified entry without recursively cleaning up its child entries. This behavior creates a directory structure that contains dangling references to subdirectories and files that should have been removed during module termination. The kernel's proc filesystem implementation detects this inconsistency and generates a warning message indicating that a non-empty directory is being removed, which constitutes a violation of proper resource management protocols and can lead to filesystem corruption or resource exhaustion over time.

The operational impact of this vulnerability extends beyond simple warning messages to potential system instability and resource management issues within the kernel's proc filesystem interface. The leaked entries under 'fs/netfs' can accumulate over multiple module load/unload cycles, leading to progressively larger filesystem inconsistencies that may eventually impact system performance or cause unexpected behavior in other kernel subsystems that interact with the proc filesystem. This particular issue represents a classic example of improper resource cleanup in kernel space, where the failure to properly traverse and remove directory hierarchies creates persistent artifacts in the kernel's virtual filesystem structure, potentially affecting monitoring tools or other subsystems that rely on consistent proc filesystem state.

The fix for CVE-2024-47733 involves replacing the existing remove_proc_entry() call with remove_proc_subtree() in the netfs_exit() function, which ensures complete removal of the entire directory hierarchy including all subentries. This change aligns with the kernel's established patterns for proper cleanup operations and follows the principle of least privilege in resource management. The solution addresses the underlying CWE-459 issue of incomplete cleanup of resources, specifically targeting the improper handling of filesystem entries during module termination. From an ATT&CK perspective, this vulnerability relates to privilege escalation through kernel-level resource management failures, as the improper cleanup could potentially be exploited to create persistent kernel artifacts or contribute to more complex attack vectors involving kernel memory corruption. The fix ensures that all proc filesystem entries created during module initialization are properly cleaned up, maintaining kernel filesystem consistency and preventing potential resource leakage that could impact system stability or security posture.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00233

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!