CVE-2024-26832 - Vulnerability Details - OpenCVE

ReportizFlow

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix missing folio cleanup in writeback race path In zswap_writeback_entry(), after we get a folio from __read_swap_cache_async(), we grab the tree lock again to check that the swap entry was not invalidated and recycled. If it was, we delete the folio we just added to the swap cache and exit. However, __read_swap_cache_async() returns the folio locked when it is newly allocated, which is always true for this path, and the folio is ref'd. Make sure to unlock and put the folio before returning. This was discovered by code inspection, probably because this path handles a race condition that should not happen often, and the bug would not crash the system, it will only strand the folio indefinitely.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea
https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644
https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe
https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d
https://lore.kernel.org/linux-cve-announce/2024041714-CVE-2024-26832-77ce@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26832
https://www.cve.org/CVERecord?id=CVE-2024-26832

History

Thu, 19 Dec 2024 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-17T10:10:01.016Z

Updated: 2024-12-19T08:48:18.069Z

Reserved: 2024-02-19T14:20:24.181Z

Link: CVE-2024-26832

Vulnrichment

Updated: 2024-08-02T00:14:13.535Z

NVD

Status : Awaiting Analysis

Published: 2024-04-17T10:15:09.507

Modified: 2024-11-21T09:03:10.120

Link: CVE-2024-26832

Redhat

Severity : Moderate

Publid Date: 2024-04-17T00:00:00Z

Links: CVE-2024-26832 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26832", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.181Z", "datePublished": "2024-04-17T10:10:01.016Z", "dateUpdated": "2024-12-19T08:48:18.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:48:18.069Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/zswap.c"], "versions": [{"version": "2cab13f500a6333bd2b853783ac76be9e4956f8a", "lessThan": "14f1992430ef9e647b02aa8ca12c5bcb9a1dffea", "status": "affected", "versionType": "git"}, {"version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "6156277d1b26cb3fdb6fcbf0686ab78268571644", "status": "affected", "versionType": "git"}, {"version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "e2891c763aa2cff74dd6b5e978411ccf0cf94abe", "status": "affected", "versionType": "git"}, {"version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "e3b63e966cac0bf78aaa1efede1827a252815a1d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/zswap.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.80", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.19", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.7", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"}, {"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"}, {"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"}, {"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"}], "title": "mm: zswap: fix missing folio cleanup in writeback race path", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T18:06:53.982230Z", "id": "CVE-2024-26832", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:07:04.867Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.535Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.535Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26832", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T18:06:53.982230Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T18:07:00.277Z"}}], "cna": {"title": "mm: zswap: fix missing folio cleanup in writeback race path", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2cab13f500a6333bd2b853783ac76be9e4956f8a", "lessThan": "14f1992430ef9e647b02aa8ca12c5bcb9a1dffea", "versionType": "git"}, {"status": "affected", "version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "6156277d1b26cb3fdb6fcbf0686ab78268571644", "versionType": "git"}, {"status": "affected", "version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "e2891c763aa2cff74dd6b5e978411ccf0cf94abe", "versionType": "git"}, {"status": "affected", "version": "04fc7816089c5a32c29a04ec94b998e219dfb946", "lessThan": "e3b63e966cac0bf78aaa1efede1827a252815a1d", "versionType": "git"}], "programFiles": ["mm/zswap.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.4"}, {"status": "unaffected", "version": "0", "lessThan": "6.4", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.80", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.19", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.7", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["mm/zswap.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"}, {"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"}, {"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"}, {"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:48:18.069Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26832", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:48:18.069Z", "dateReserved": "2024-02-19T14:20:24.181Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-17T10:10:01.016Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm: zswap: corrige la limpieza de folio faltante en la ruta de carrera de escritura diferida En zswap_writeback_entry(), despu\u00e9s de obtener un folio de __read_swap_cache_async(), tomamos el bloqueo del \u00e1rbol nuevamente para verificar que el intercambio la entrada no fue invalidada y reciclada. Si as\u00ed fuera, eliminamos la publicaci\u00f3n que acabamos de agregar al cach\u00e9 de intercambio y salimos. Sin embargo, __read_swap_cache_async() devuelve la publicaci\u00f3n bloqueada cuando se asigna recientemente, lo que siempre es cierto para esta ruta, y la publicaci\u00f3n se ref. Aseg\u00farate de desbloquear y colocar el folio antes de regresar. Esto se descubri\u00f3 mediante la inspecci\u00f3n del c\u00f3digo, probablemente porque esta ruta maneja una condici\u00f3n de carrera que no deber\u00eda ocurrir con frecuencia, y el error no bloquear\u00eda el sistema, solo bloquear\u00e1 la publicaci\u00f3n indefinidamente."}], "id": "CVE-2024-26832", "lastModified": "2024-11-21T09:03:10.120", "metrics": {}, "published": "2024-04-17T10:15:09.507", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mm: zswap: fix missing folio cleanup in writeback race path", "id": "2275590", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275590"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmm: zswap: fix missing folio cleanup in writeback race path\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely.", "A flaw was found in the Linux kernel\u2019s `mm: zswap` subsystem. The issue occurs due to missing folio cleanup in the writeback race path. This flaw can lead to resource leaks or other unintended behaviors if the kernel fails to manage memory correctly during concurrent operations."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-26832", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26832\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26832\nhttps://lore.kernel.org/linux-cve-announce/2024041714-CVE-2024-26832-77ce@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.80, kernel 6.6.19, kernel 6.7.7, kernel 6.8"}