CVE-2024-26868
Description
In the Linux kernel, the following vulnerability has been resolved: nfs: fix panic when nfs4_ff_layout_prepare_ds() fails We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-5363.html
Vendor advisory: alma — https://bugzilla.redhat.com/2297545
Vendor advisory: alma — https://bugzilla.redhat.com/2297542
Vendor advisory: alma — https://bugzilla.redhat.com/2297538
Vendor advisory: alma — https://bugzilla.redhat.com/2297512
Vendor advisory: alma — https://bugzilla.redhat.com/2297056
Vendor advisory: alma — https://bugzilla.redhat.com/2293688
Vendor advisory: alma — https://bugzilla.redhat.com/2293687
Vendor advisory: alma — https://bugzilla.redhat.com/2293686
Vendor advisory: alma — https://bugzilla.redhat.com/2293658
Vendor advisory: alma — https://bugzilla.redhat.com/2293657
Vendor advisory: alma — https://bugzilla.redhat.com/2293441
Vendor advisory: alma — https://bugzilla.redhat.com/2293418
Vendor advisory: alma — https://bugzilla.redhat.com/2293208
Vendor advisory: alma — https://bugzilla.redhat.com/2292331
Vendor advisory: alma — https://bugzilla.redhat.com/2284543
Vendor advisory: alma — https://bugzilla.redhat.com/2284513
Vendor advisory: alma — https://bugzilla.redhat.com/2284511
Vendor advisory: alma — https://bugzilla.redhat.com/2284496
Vendor advisory: alma — https://bugzilla.redhat.com/2284474
Vendor advisory: alma — https://bugzilla.redhat.com/2284417
Vendor advisory: alma — https://bugzilla.redhat.com/2284400
Vendor advisory: alma — https://bugzilla.redhat.com/2282719
Vendor advisory: alma — https://bugzilla.redhat.com/2281949
Vendor advisory: alma — https://bugzilla.redhat.com/2281900
Vendor advisory: alma — https://bugzilla.redhat.com/2281821
Vendor advisory: alma — https://bugzilla.redhat.com/2281667
Vendor advisory: alma — https://bugzilla.redhat.com/2281639
Vendor advisory: alma — https://bugzilla.redhat.com/2281272
Vendor advisory: alma — https://bugzilla.redhat.com/2281265
Vendor advisory: alma — https://bugzilla.redhat.com/2281257
Vendor advisory: alma — https://bugzilla.redhat.com/2281237
Vendor advisory: alma — https://bugzilla.redhat.com/2281190
Vendor advisory: alma — https://bugzilla.redhat.com/2281133
Vendor advisory: alma — https://bugzilla.redhat.com/2281097
Vendor advisory: alma — https://bugzilla.redhat.com/2281057
Vendor advisory: alma — https://bugzilla.redhat.com/2278989
Vendor advisory: alma — https://bugzilla.redhat.com/2278519
Vendor advisory: alma — https://bugzilla.redhat.com/2278429
Vendor advisory: alma — https://bugzilla.redhat.com/2278417
Vendor advisory: alma — https://bugzilla.redhat.com/2278380
Vendor advisory: alma — https://bugzilla.redhat.com/2275748
Vendor advisory: alma — https://bugzilla.redhat.com/2275715
Vendor advisory: alma — https://bugzilla.redhat.com/2275655
Vendor advisory: alma — https://bugzilla.redhat.com/2275600
Vendor advisory: alma — https://bugzilla.redhat.com/2273405
Vendor advisory: alma — https://bugzilla.redhat.com/2265838
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-26868
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:5363
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-26868.html
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:5363
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | fixed | 6.1.85-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.7.12-1 |
| debian | sid | fixed | 6.7.12-1 |
| debian | trixie | fixed | 6.7.12-1 |
References
- https://access.redhat.com/errata/RHSA-2024:5363
- https://www.suse.com/security/cve/CVE-2024-26868.html
- https://errata.rockylinux.org/RLSA-2024:5363
- https://security-tracker.debian.org/tracker/CVE-2024-26868
- https://bugzilla.redhat.com/2265838
- https://bugzilla.redhat.com/2273405
- https://bugzilla.redhat.com/2275600
- https://bugzilla.redhat.com/2275655
- https://bugzilla.redhat.com/2275715
- https://bugzilla.redhat.com/2275748
- https://bugzilla.redhat.com/2278380
- https://bugzilla.redhat.com/2278417
- https://bugzilla.redhat.com/2278429
- https://bugzilla.redhat.com/2278519
- https://bugzilla.redhat.com/2278989
- https://bugzilla.redhat.com/2281057
- https://bugzilla.redhat.com/2281097
- https://bugzilla.redhat.com/2281133
- https://bugzilla.redhat.com/2281190
- https://bugzilla.redhat.com/2281237
- https://bugzilla.redhat.com/2281257
- https://bugzilla.redhat.com/2281265
- https://bugzilla.redhat.com/2281272
- https://bugzilla.redhat.com/2281639
- https://bugzilla.redhat.com/2281667
Verify integrity in audit chain (admin only). AS-IS.