CVE-2024-49854 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix uaf for accessing waker_bfqq after splitting

After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe.

Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability described in CVE-2024-49854 represents a use-after-free condition within the Linux kernel's block I/O subsystem, specifically affecting the BFQ (Budget Fair Queuing) scheduler implementation. This issue arises from improper handling of reference counting and memory management during the splitting of BFQ queue structures, creating a scenario where freed memory can be accessed after a queue split operation. The vulnerability demonstrates a classic memory safety issue that can potentially lead to system instability or privilege escalation, particularly when malicious processes attempt to exploit the race condition inherent in the queue management logic.

The technical flaw occurs in the block layer's BFQ scheduler where the bfq_split_bfqq() function fails to properly account for the lifecycle of the waker_bfqq reference after queue splitting operations. When a process becomes the sole holder of a BFQ queue, the system may proceed to free the queue structure immediately after splitting, yet subsequent access to the waker_bfqq field can still occur. This creates a window where the memory location previously occupied by the queue structure may have been reallocated or freed, leading to undefined behavior when attempting to access the waker_bfqq field. The problem is exacerbated by the fact that waker_bfqq may exist within the merge chain of the original bfqq, making simple reference recording insufficient to prevent the use-after-free scenario.

The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential attack vector for privilege escalation within the kernel space. An attacker could potentially exploit this condition to execute arbitrary code with kernel privileges, leading to complete system compromise. The vulnerability is particularly concerning because it occurs during normal I/O operations when queue splitting happens, meaning legitimate system processes could trigger the condition during routine operations. According to CWE classification, this represents a CWE-416 Use After Free vulnerability, which is categorized under the broader category of memory safety issues in kernel space. The ATT&CK framework would classify this as a kernel exploit technique, potentially enabling privilege escalation and system compromise through memory corruption.

The fix implemented addresses the root cause by introducing a dedicated helper function bfq_waker_bfqq() that performs comprehensive checks before accessing the waker_bfqq field. This helper function verifies whether the waker_bfqq is part of the merge chain and ensures that the current process is indeed the sole holder of the bfqq before allowing access. The solution follows established kernel security practices by implementing proper reference counting and lifecycle management for kernel data structures. The fix ensures that memory access operations occur only when the referenced structures remain valid, preventing the use-after-free condition that could otherwise be exploited by malicious actors. This approach aligns with the kernel's security model and demonstrates proper defensive programming practices in kernel space code where memory safety is paramount for system integrity and security.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00217

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!