cve-2024-26832
Vulnerability from cvelistv5
Published
2024-04-17 10:10
Modified
2024-12-19 08:48
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix missing folio cleanup in writeback race path In zswap_writeback_entry(), after we get a folio from __read_swap_cache_async(), we grab the tree lock again to check that the swap entry was not invalidated and recycled. If it was, we delete the folio we just added to the swap cache and exit. However, __read_swap_cache_async() returns the folio locked when it is newly allocated, which is always true for this path, and the folio is ref'd. Make sure to unlock and put the folio before returning. This was discovered by code inspection, probably because this path handles a race condition that should not happen often, and the bug would not crash the system, it will only strand the folio indefinitely.
Impacted products
Vendor Product Version
Linux Linux Version: 6.4
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26832",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T18:06:53.982230Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-16T18:07:04.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.535Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14f1992430ef9e647b02aa8ca12c5bcb9a1dffea",
              "status": "affected",
              "version": "2cab13f500a6333bd2b853783ac76be9e4956f8a",
              "versionType": "git"
            },
            {
              "lessThan": "6156277d1b26cb3fdb6fcbf0686ab78268571644",
              "status": "affected",
              "version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
              "versionType": "git"
            },
            {
              "lessThan": "e2891c763aa2cff74dd6b5e978411ccf0cf94abe",
              "status": "affected",
              "version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
              "versionType": "git"
            },
            {
              "lessThan": "e3b63e966cac0bf78aaa1efede1827a252815a1d",
              "status": "affected",
              "version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled.  If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref\u0027d.  Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:48:18.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"
        },
        {
          "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"
        }
      ],
      "title": "mm: zswap: fix missing folio cleanup in writeback race path",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26832",
    "datePublished": "2024-04-17T10:10:01.016Z",
    "dateReserved": "2024-02-19T14:20:24.181Z",
    "dateUpdated": "2024-12-19T08:48:18.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26832\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T10:15:09.507\",\"lastModified\":\"2024-11-21T09:03:10.120\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: zswap: fix missing folio cleanup in writeback race path\\n\\nIn zswap_writeback_entry(), after we get a folio from\\n__read_swap_cache_async(), we grab the tree lock again to check that the\\nswap entry was not invalidated and recycled.  If it was, we delete the\\nfolio we just added to the swap cache and exit.\\n\\nHowever, __read_swap_cache_async() returns the folio locked when it is\\nnewly allocated, which is always true for this path, and the folio is\\nref\u0027d.  Make sure to unlock and put the folio before returning.\\n\\nThis was discovered by code inspection, probably because this path handles\\na race condition that should not happen often, and the bug would not crash\\nthe system, it will only strand the folio indefinitely.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm: zswap: corrige la limpieza de folio faltante en la ruta de carrera de escritura diferida En zswap_writeback_entry(), despu\u00e9s de obtener un folio de __read_swap_cache_async(), tomamos el bloqueo del \u00e1rbol nuevamente para verificar que el intercambio la entrada no fue invalidada y reciclada. Si as\u00ed fuera, eliminamos la publicaci\u00f3n que acabamos de agregar al cach\u00e9 de intercambio y salimos. Sin embargo, __read_swap_cache_async() devuelve la publicaci\u00f3n bloqueada cuando se asigna recientemente, lo que siempre es cierto para esta ruta, y la publicaci\u00f3n se ref. Aseg\u00farate de desbloquear y colocar el folio antes de regresar. Esto se descubri\u00f3 mediante la inspecci\u00f3n del c\u00f3digo, probablemente porque esta ruta maneja una condici\u00f3n de carrera que no deber\u00eda ocurrir con frecuencia, y el error no bloquear\u00eda el sistema, solo bloquear\u00e1 la publicaci\u00f3n indefinidamente.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.