{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-53182","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-11-19T17:17:25.009Z","datePublished":"2024-12-27T13:49:25.670Z","dateUpdated":"2025-05-04T09:55:08.696Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:55:08.696Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()\"\n\nThis reverts commit bc3b1e9e7c50e1de0f573eea3871db61dd4787de.\n\nThe bic is associated with sync_bfqq, and bfq_release_process_ref cannot\nbe put into bfq_put_cooperator.\n\nkasan report:\n[  400.347277] ==================================================================\n[  400.347287] BUG: KASAN: slab-use-after-free in bic_set_bfqq+0x200/0x230\n[  400.347420] Read of size 8 at addr ffff88881cab7d60 by task dockerd/5800\n[  400.347430]\n[  400.347436] CPU: 24 UID: 0 PID: 5800 Comm: dockerd Kdump: loaded Tainted: G E 6.12.0 #32\n[  400.347450] Tainted: [E]=UNSIGNED_MODULE\n[  400.347454] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022\n[  400.347460] Call Trace:\n[  400.347464]  <TASK>\n[  400.347468]  dump_stack_lvl+0x5d/0x80\n[  400.347490]  print_report+0x174/0x505\n[  400.347521]  kasan_report+0xe0/0x160\n[  400.347541]  bic_set_bfqq+0x200/0x230\n[  400.347549]  bfq_bic_update_cgroup+0x419/0x740\n[  400.347560]  bfq_bio_merge+0x133/0x320\n[  400.347584]  blk_mq_submit_bio+0x1761/0x1e20\n[  400.347625]  __submit_bio+0x28b/0x7b0\n[  400.347664]  submit_bio_noacct_nocheck+0x6b2/0xd30\n[  400.347690]  iomap_readahead+0x50c/0x680\n[  400.347731]  read_pages+0x17f/0x9c0\n[  400.347785]  page_cache_ra_unbounded+0x366/0x4a0\n[  400.347795]  filemap_fault+0x83d/0x2340\n[  400.347819]  __xfs_filemap_fault+0x11a/0x7d0 [xfs]\n[  400.349256]  __do_fault+0xf1/0x610\n[  400.349270]  do_fault+0x977/0x11a0\n[  400.349281]  __handle_mm_fault+0x5d1/0x850\n[  400.349314]  handle_mm_fault+0x1f8/0x560\n[  400.349324]  do_user_addr_fault+0x324/0x970\n[  400.349337]  exc_page_fault+0x76/0xf0\n[  400.349350]  asm_exc_page_fault+0x26/0x30\n[  400.349360] RIP: 0033:0x55a480d77375\n[  400.349384] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 3b 66 10 0f 86 ae 02 00 00 55 48 89 e5 48 83 ec 58 48 8b 10 <83> 7a 10 00 0f 84 27 02 00 00 44 0f b6 42 28 44 0f b6 4a 29 41 80\n[  400.349392] RSP: 002b:00007f18c37fd8b8 EFLAGS: 00010216\n[  400.349401] RAX: 00007f18c37fd9d0 RBX: 0000000000000000 RCX: 0000000000000000\n[  400.349407] RDX: 000055a484407d38 RSI: 000000c000e8b0c0 RDI: 0000000000000000\n[  400.349412] RBP: 00007f18c37fd910 R08: 000055a484017f60 R09: 000055a484066f80\n[  400.349417] R10: 0000000000194000 R11: 0000000000000005 R12: 0000000000000008\n[  400.349422] R13: 0000000000000000 R14: 000000c000476a80 R15: 0000000000000000\n[  400.349430]  </TASK>\n[  400.349452]\n[  400.349454] Allocated by task 5800:\n[  400.349459]  kasan_save_stack+0x30/0x50\n[  400.349469]  kasan_save_track+0x14/0x30\n[  400.349475]  __kasan_slab_alloc+0x89/0x90\n[  400.349482]  kmem_cache_alloc_node_noprof+0xdc/0x2a0\n[  400.349492]  bfq_get_queue+0x1ef/0x1100\n[  400.349502]  __bfq_get_bfqq_handle_split+0x11a/0x510\n[  400.349511]  bfq_insert_requests+0xf55/0x9030\n[  400.349519]  blk_mq_flush_plug_list+0x446/0x14c0\n[  400.349527]  __blk_flush_plug+0x27c/0x4e0\n[  400.349534]  blk_finish_plug+0x52/0xa0\n[  400.349540]  _xfs_buf_ioapply+0x739/0xc30 [xfs]\n[  400.350246]  __xfs_buf_submit+0x1b2/0x640 [xfs]\n[  400.350967]  xfs_buf_read_map+0x306/0xa20 [xfs]\n[  400.351672]  xfs_trans_read_buf_map+0x285/0x7d0 [xfs]\n[  400.352386]  xfs_imap_to_bp+0x107/0x270 [xfs]\n[  400.353077]  xfs_iget+0x70d/0x1eb0 [xfs]\n[  400.353786]  xfs_lookup+0x2ca/0x3a0 [xfs]\n[  400.354506]  xfs_vn_lookup+0x14e/0x1a0 [xfs]\n[  400.355197]  __lookup_slow+0x19c/0x340\n[  400.355204]  lookup_one_unlocked+0xfc/0x120\n[  400.355211]  ovl_lookup_single+0x1b3/0xcf0 [overlay]\n[  400.355255]  ovl_lookup_layer+0x316/0x490 [overlay]\n[  400.355295]  ovl_lookup+0x844/0x1fd0 [overlay]\n[  400.355351]  lookup_one_qstr_excl+0xef/0x150\n[  400.355357]  do_unlinkat+0x22a/0x620\n[  400.355366]  __x64_sys_unlinkat+0x109/0x1e0\n[  400.355375]  do_syscall_64+0x82/0x160\n[  400.355384]  entry_SYSCALL_64_after_hwframe+0x76/0x7\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-cgroup.c","block/bfq-iosched.c"],"versions":[{"version":"bc3b1e9e7c50e1de0f573eea3871db61dd4787de","lessThan":"7baf94232651f39f7108c23bc9548bff89bdc77b","status":"affected","versionType":"git"},{"version":"bc3b1e9e7c50e1de0f573eea3871db61dd4787de","lessThan":"cf5a60d971c7b59efb89927919404be655a9e35a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/bfq-cgroup.c","block/bfq-iosched.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.2","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7baf94232651f39f7108c23bc9548bff89bdc77b"},{"url":"https://git.kernel.org/stable/c/cf5a60d971c7b59efb89927919404be655a9e35a"}],"title":"Revert \"block, bfq: merge bfq_release_process_ref() into bfq_put_cooperator()\"","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-53182","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-03-06T16:09:12.271456Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-06T16:14:33.459Z"}}]}}