CVE-2024-26844 - Vulnerability Details - OpenCVE

ReportizFlow

In the Linux kernel, the following vulnerability has been resolved: block: Fix WARNING in _copy_from_iter Syzkaller reports a warning in _copy_from_iter because an iov_iter is supposedly used in the wrong direction. The reason is that syzcaller managed to generate a request with a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs the kernel to copy user buffers into the kernel, read into the copied buffers and then copy the data back to user space. Thus the iovec is used in both directions. Detect this situation in the block layer and construct a new iterator with the correct direction for the copy-in.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956
https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6
https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b
https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b
https://lore.kernel.org/linux-cve-announce/2024041716-CVE-2024-26844-c534@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26844
https://www.cve.org/CVERecord?id=CVE-2024-26844

History

Thu, 19 Dec 2024 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-17T10:10:08.711Z

Updated: 2024-12-19T08:48:32.819Z

Reserved: 2024-02-19T14:20:24.182Z

Link: CVE-2024-26844

Vulnrichment

Updated: 2024-08-02T00:14:13.656Z

NVD

Status : Awaiting Analysis

Published: 2024-04-17T10:15:10.093

Modified: 2024-11-21T09:03:11.670

Link: CVE-2024-26844

Redhat

Severity : Low

Publid Date: 2024-04-17T00:00:00Z

Links: CVE-2024-26844 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26844", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.182Z", "datePublished": "2024-04-17T10:10:08.711Z", "dateUpdated": "2024-12-19T08:48:32.819Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:48:32.819Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-map.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8fc80874103a5c20aebdc2401361aa01c817f75b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "0f1bae071de9967602807472921829a54b2e5956", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cbaf9be337f7da25742acfce325119e3395b1f1b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-map.c"], "versions": [{"version": "6.1.80", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.19", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.7", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b"}, {"url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956"}, {"url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b"}, {"url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6"}], "title": "block: Fix WARNING in _copy_from_iter", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-10T14:27:10.114301Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:48:24.553Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.656Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:14:13.656Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-10T14:27:10.114301Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.294Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "block: Fix WARNING in _copy_from_iter", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8fc80874103a5c20aebdc2401361aa01c817f75b", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "0f1bae071de9967602807472921829a54b2e5956", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cbaf9be337f7da25742acfce325119e3395b1f1b", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "13f3956eb5681a4045a8dfdef48df5dc4d9f58a6", "versionType": "git"}], "programFiles": ["block/blk-map.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.1.80", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.19", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.7", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["block/blk-map.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b"}, {"url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956"}, {"url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b"}, {"url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:48:32.819Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26844", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:48:32.819Z", "dateReserved": "2024-02-19T14:20:24.182Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-17T10:10:08.711Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: Reparar ADVERTENCIA en _copy_from_iter Syzkaller informa una advertencia en _copy_from_iter porque supuestamente se usa un iov_iter en la direcci\u00f3n incorrecta. La raz\u00f3n es que syzcaller logr\u00f3 generar una solicitud con una direcci\u00f3n de transferencia de SG_DXFER_TO_FROM_DEV. Esto le indica al kernel que copie los buffers del usuario en el kernel, los lea en los buffers copiados y luego copie los datos nuevamente al espacio del usuario. Por tanto, el iovec se utiliza en ambas direcciones. Detecte esta situaci\u00f3n en la capa de bloque y construya un nuevo iterador con la direcci\u00f3n correcta para la copia."}], "id": "CVE-2024-26844", "lastModified": "2024-11-21T09:03:11.670", "metrics": {}, "published": "2024-04-17T10:15:10.093", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: block: Fix WARNING in _copy_from_iter", "id": "2275563", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275563"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1098", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblock: Fix WARNING in _copy_from_iter\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\nThus the iovec is used in both directions.\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in."], "name": "CVE-2024-26844", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26844\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26844\nhttps://lore.kernel.org/linux-cve-announce/2024041716-CVE-2024-26844-c534@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.80, kernel 6.6.19, kernel 6.7.7, kernel 6.8"}