CVE-2024-26935

EPSS 0.03%
Veröffentlicht 01.05.2024 06:15:08
Zuletzt bearbeitet 21.11.2024 09:03:25
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix unremoved procfs host directory regression

Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name}
directory earlier") fixed a bug related to modules loading/unloading, by
adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led
to a potential duplicate call to the hostdir_rm() routine, since it's also
called from scsi_host_dev_release(). That triggered a regression report,
which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host
directory removal regression"). The fix just dropped the hostdir_rm() call
from dev_release().

But it happens that this proc directory is created on scsi_host_alloc(),
and that function "pairs" with scsi_host_dev_release(), while
scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the
reason for removing the proc directory on dev_release() was meant to cover
cases in which a SCSI host structure was allocated, but the call to
scsi_add_host() didn't happen. And that pattern happens to exist in some
error paths, for example.

Syzkaller causes that by using USB raw gadget device, error'ing on
usb-storage driver, at usb_stor_probe2(). By checking that path, we can see
that the BadDevice label leads to a scsi_host_put() after a SCSI host
allocation, but there's no call to scsi_add_host() in such path. That leads
to messages like this in dmesg (and a leak of the SCSI host proc
structure):

usb-storage 4-1:87.51: USB Mass Storage device detected
proc_dir_entry 'scsi/usb-storage' already registered
WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376

The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),
but guard that with the state check for SHOST_CREATED; there is even a
comment in scsi_host_dev_release() detailing that: such conditional is
meant for cases where the SCSI host was allocated but there was no calls to
{add,remove}_host(), like the usb-storage case.

This is what we propose here and with that, the error path of usb-storage
does not trigger the warning anymore.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 12

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 0053f15d50d50c9312d8ab9c11e2e405812dfcac

Version 88c3d3bb6469cea929ac68fd326bdcbefcdfdd83

Status affected

Version < 5c2386ba80e779a92ec3bb64ccadbedd88f779b1

Version 68c665bb185037e7eb66fb792c61da9d7151e99c

Status affected

Version < cea234bb214b17d004dfdccce4491e6ff57c96ee

Version 2a764d55e938743efa7c2cba7305633bcf227f09

Status affected

Version < 3678cf67ff7136db1dd3bf63c361650db5d92889

Version 7e0ae8667fcdd99d1756922e1140cac75f5fa279

Status affected

Version < d4c34782b6d7b1e68d18d9549451b19433bd4c6c

Version be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Status affected

Version < e293c773c13b830cdc251f155df2254981abc320

Version be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Status affected

Version < f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7

Version be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Status affected

Version < f23a4d6e07570826fe95023ca1aa96a011fa9f84

Version be03df3d4bfe7e8866d4aa43d62e648ffe884f5f

Status affected

Version 73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.3

Status affected

Version < 6.3

Version 0

Status unaffected

Version <= 5.4.*

Version 5.4.274

Status unaffected

Version <= 5.10.*

Version 5.10.215

Status unaffected

Version <= 5.15.*

Version 5.15.154

Status unaffected

Version <= 6.1.*

Version 6.1.84

Status unaffected

Version <= 6.6.*

Version 6.6.24

Status unaffected

Version <= 6.7.*

Version 6.7.12

Status unaffected

Version <= 6.8.*

Version 6.8.3

Status unaffected

Version <= *

Version 6.9

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.074

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac

https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889

https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1

https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee

https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c

https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320

https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84

https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7

https://nvd.nist.gov/vuln/detail/CVE-2024-26935

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26935

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26935

EUVD