2258475 – (CVE-2024-0562) CVE-2024-0562 kernel: use-after-free after removing device in wb_inode_writeback_end in mm/page-writeback.c

Bug 2258475 (CVE-2024-0562) - CVE-2024-0562 kernel: use-after-free after removing device in wb_inode_writeback_end in mm/page-writeback.c

Summary: CVE-2024-0562 kernel: use-after-free after removing device in wb_inode_writeb...

Keywords:
Status:	NEW
Alias:	CVE-2024-0562
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2258473
TreeView+	depends on / blocked

Reported:	2024-01-15 15:08 UTC by Rohit Keshri
Modified:	2024-03-20 23:17 UTC (History)
CC List:	47 users (show)
Fixed In Version:	kernel 6.0-rc3
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0412	0	None	None	None	2024-01-24 16:45:34 UTC

Description Rohit Keshri 2024-01-15 15:08:41 UTC

A use-after-free problem was found when a disk is removed, bdi_unregister gets called to stop further writeback and wait for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation dwork after this has completed, which can result in the timer attempting to access the just freed bdi_writeback.

Refer:
https://patchwork.kernel.org/project/linux-mm/patch/20220801155034.3772543-1-khazhy@google.com/

Comment 5 errata-xmlrpc 2024-01-24 16:45:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412

Comment 6 Joel Hardin 2024-01-26 02:09:20 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 7 Lee Jones 2024-02-06 13:59:07 UTC

Why are you raising CVEs for issues that were fixed and backported 18 months ago?

This is wasting a lot of people's precious time.

Comment 8 Alex 2024-02-11 15:28:37 UTC

In reply to comment #7:
> Why are you raising CVEs for issues that were fixed and backported 18 months
> ago?
> 
> This is wasting a lot of people's precious time.

This one is for backport to older versions of Red Hat Linux, because original request was:
"reported experiencing a UAF in RHEL8.6."

(and it is not actual for version 8.8 and later, because the patch already applied there at the moment of this report).

Comment 12 Charmaine9x 2024-03-19 03:33:51 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
ezulian
gsuckevi
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lee
lgoncalv
lzampier
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang