Today > | 4 High | 23 Medium vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-43892

Sept. 12, 2024, 12:15 p.m.

CVSS Score

4.7 / 10

Products Impacted

Vendor Product Versions
linux
  • linux_kernel
  • *, 6.11

Description

In the Linux kernel, the following vulnerability has been resolved: memcg: protect concurrent access to mem_cgroup_idr Commit 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") decoupled the memcg IDs from the CSS ID space to fix the cgroup creation failures. It introduced IDR to maintain the memcg ID space. The IDR depends on external synchronization mechanisms for modifications. For the mem_cgroup_idr, the idr_alloc() and idr_replace() happen within css callback and thus are protected through cgroup_mutex from concurrent modifications. However idr_remove() for mem_cgroup_idr was not protected against concurrency and can be run concurrently for different memcgs when they hit their refcnt to zero. Fix that. We have been seeing list_lru based kernel crashes at a low frequency in our fleet for a long time. These crashes were in different part of list_lru code including list_lru_add(), list_lru_del() and reparenting code. Upon further inspection, it looked like for a given object (dentry and inode), the super_block's list_lru didn't have list_lru_one for the memcg of that object. The initial suspicions were either the object is not allocated through kmem_cache_alloc_lru() or somehow memcg_list_lru_alloc() failed to allocate list_lru_one() for a memcg but returned success. No evidence were found for these cases. Looking more deeply, we started seeing situations where valid memcg's id is not present in mem_cgroup_idr and in some cases multiple valid memcgs have same id and mem_cgroup_idr is pointing to one of them. So, the most reasonable explanation is that these situations can happen due to race between multiple idr_remove() calls or race between idr_alloc()/idr_replace() and idr_remove(). These races are causing multiple memcgs to acquire the same ID and then offlining of one of them would cleanup list_lrus on the system for all of them. Later access from other memcgs to the list_lru cause crashes due to missing list_lru_one.

Weaknesses

Date

Published: Aug. 26, 2024, 11:15 a.m.

Last Modified: Sept. 12, 2024, 12:15 p.m.

Status : Modified

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel 6.11 rc1 / / / / / /
o linux linux_kernel 6.11 rc2 / / / / / /

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score
4.7
Exploitability Score
1.0
Impact Score
3.6
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/ 416baaa9-dc9f-4396-8d5f-8c081fb06d67