CVE-2024-40998 Affecting kernel-devel-matched package, versions <0:5.14.0-427.42.1.el9_4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALMALINUX9-KERNELDEVELMATCHED-8337950
- published 4 Nov 2024
- disclosed 30 Oct 2024
How to fix?
Upgrade AlmaLinux:9 kernel-devel-matched to version 0:5.14.0-427.42.1.el9_4 or higher.
This issue was patched in ALSA-2024:8617.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-devel-matched package and not the kernel-devel-matched package as distributed by AlmaLinux.
See How to fix? for AlmaLinux:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()
In the following concurrency we will access the uninitialized rs->lock:
ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, RET_IP) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here
and get the following dump_stack:
========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...]
Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.
References
- https://errata.almalinux.org/8/ALSA-2024-7000.html
- https://errata.almalinux.org/8/ALSA-2024-7001.html
- https://errata.almalinux.org/9/ALSA-2024-8617.html
- https://access.redhat.com/security/cve/CVE-2024-40998
- https://access.redhat.com/errata/RHSA-2024:7000
- https://access.redhat.com/errata/RHSA-2024:7001
- https://access.redhat.com/errata/RHSA-2024:8617
- https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c
- https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798
- https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c