ghsa-34cx-q7hf-42vr
Vulnerability from github
Published
2024-06-21 12:31
Modified
2024-06-21 12:31
Details

In the Linux kernel, the following vulnerability has been resolved:

fuse: clear FR_SENT when re-adding requests into pending list

The following warning was reported by lee bruce:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300 fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 Modules linked in: CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300 ...... Call Trace: fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334 fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367 call_read_iter include/linux/fs.h:2104 [inline] new_sync_read fs/read_write.c:395 [inline] vfs_read+0x85b/0xba0 fs/read_write.c:476 ksys_read+0x12f/0x260 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ......

The warning is due to the FUSE_NOTIFY_RESEND notify sent by the write() syscall in the reproducer program and it happens as follows:

(1) calls fuse_dev_read() to read the INIT request The read succeeds. During the read, bit FR_SENT will be set on the request. (2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify The resend notify will resend all processing requests, so the INIT request is moved from processing list to pending list again. (3) calls fuse_dev_read() with an invalid output address fuse_dev_read() will try to copy the same INIT request to the output address, but it will fail due to the invalid address, so the INIT request is ended and triggers the warning in fuse_request_end().

Fix it by clearing FR_SENT when re-adding requests into pending list.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-38626"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:11Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: clear FR_SENT when re-adding requests into pending list\n\nThe following warning was reported by lee bruce:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 8264 at fs/fuse/dev.c:300\n  fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n  Modules linked in:\n  CPU: 0 PID: 8264 Comm: ab2 Not tainted 6.9.0-rc7\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n  RIP: 0010:fuse_request_end+0x685/0x7e0 fs/fuse/dev.c:300\n  ......\n  Call Trace:\n  \u003cTASK\u003e\n  fuse_dev_do_read.constprop.0+0xd36/0x1dd0 fs/fuse/dev.c:1334\n  fuse_dev_read+0x166/0x200 fs/fuse/dev.c:1367\n  call_read_iter include/linux/fs.h:2104 [inline]\n  new_sync_read fs/read_write.c:395 [inline]\n  vfs_read+0x85b/0xba0 fs/read_write.c:476\n  ksys_read+0x12f/0x260 fs/read_write.c:619\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xce/0x260 arch/x86/entry/common.c:83\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  ......\n  \u003c/TASK\u003e\n\nThe warning is due to the FUSE_NOTIFY_RESEND notify sent by the write()\nsyscall in the reproducer program and it happens as follows:\n\n(1) calls fuse_dev_read() to read the INIT request\nThe read succeeds. During the read, bit FR_SENT will be set on the\nrequest.\n(2) calls fuse_dev_write() to send an USE_NOTIFY_RESEND notify\nThe resend notify will resend all processing requests, so the INIT\nrequest is moved from processing list to pending list again.\n(3) calls fuse_dev_read() with an invalid output address\nfuse_dev_read() will try to copy the same INIT request to the output\naddress, but it will fail due to the invalid address, so the INIT\nrequest is ended and triggers the warning in fuse_request_end().\n\nFix it by clearing FR_SENT when re-adding requests into pending list.",
  "id": "GHSA-34cx-q7hf-42vr",
  "modified": "2024-06-21T12:31:20Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38626"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/246014876d782bbf2e652267482cd2e799fb5fcd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/533070db659a9589310a743e9de14cf9d651ffaf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.