7

CVE-2024-49855

nbd: fix race between timeout and normal completion

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix race between timeout and normal completion

If request timetout is handled by nbd_requeue_cmd(), normal completion
has to be stopped for avoiding to complete this requeued request, other
use-after-free can be triggered.

Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime
make sure that cmd->lock is grabbed for clearing the flag and the
requeue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.18.4 < 5.19
LinuxLinux Kernel Version >= 5.19 < 6.1.113
LinuxLinux Kernel Version >= 6.2 < 6.6.54
LinuxLinux Kernel Version >= 6.7 < 6.10.13
LinuxLinux Kernel Version >= 6.11 < 6.11.2
LinuxLinux Kernel Version5.17.15
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/5236ada8ebbd9e7461f17477357582f5be4f46f7
Patch
https://git.kernel.org/stable/c/6e73b946a379a1dfbb62626af93843bdfb53753d
Patch
https://git.kernel.org/stable/c/9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc
Patch
https://git.kernel.org/stable/c/9c25faf72d780a9c71081710cd48759d61ff6e9b
Patch
https://git.kernel.org/stable/c/c9ea57c91f03bcad415e1a20113bdb2077bcf990
Patch
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html