CVE-2024-35974 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: block: fix q->blkg_list corruption during disk rebind Multiple gendisk instances can allocated/added for single request queue in case of disk rebind. blkg may still stay in q->blkg_list when calling blkcg_init_disk() for rebind, then q->blkg_list becomes corrupted. Fix the list corruption issue by: - add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only - move calling blkg_init_queue() into blk_alloc_queue() The list corruption should be started since commit f1c006f1c685 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()") which delays removing blkg from q->blkg_list into blkg_free_workfn().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac
https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76
https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54
https://lore.kernel.org/linux-cve-announce/2024052024-CVE-2024-35974-7008@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-35974
https://www.cve.org/CVERecord?id=CVE-2024-35974

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-20T09:42:01.114Z

Updated: 2025-05-04T09:09:34.556Z

Reserved: 2024-05-17T13:50:33.143Z

Link: CVE-2024-35974

Vulnrichment

Updated: 2024-08-02T03:21:48.989Z

NVD

Status : Awaiting Analysis

Published: 2024-05-20T10:15:12.147

Modified: 2024-11-21T09:21:20.167

Link: CVE-2024-35974

Redhat

Severity : Low

Publid Date: 2024-05-20T00:00:00Z

Links: CVE-2024-35974 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35974", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.143Z", "datePublished": "2024-05-20T09:42:01.114Z", "dateUpdated": "2025-05-04T09:09:34.556Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:09:34.556Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-cgroup.c", "block/blk-cgroup.h", "block/blk-core.c"], "versions": [{"version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "740ffad95ca8033bd6e080ed337655b13b4d38ac", "status": "affected", "versionType": "git"}, {"version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "858c489d81d659af17a4d11cfaad2afb42e47a76", "status": "affected", "versionType": "git"}, {"version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "8b8ace080319a866f5dfe9da8e665ae51d971c54", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["block/blk-cgroup.c", "block/blk-cgroup.h", "block/blk-core.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.28", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.7", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.28"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.8.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac"}, {"url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76"}, {"url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54"}], "title": "block: fix q->blkg_list corruption during disk rebind", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T19:19:10.119055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:29.289Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.989Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.989Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T19:19:10.119055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:19:15.785Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "block: fix q->blkg_list corruption during disk rebind", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "740ffad95ca8033bd6e080ed337655b13b4d38ac", "versionType": "git"}, {"status": "affected", "version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "858c489d81d659af17a4d11cfaad2afb42e47a76", "versionType": "git"}, {"status": "affected", "version": "1059699f87eb0b3aa9d574b91a572d534897134a", "lessThan": "8b8ace080319a866f5dfe9da8e665ae51d971c54", "versionType": "git"}], "programFiles": ["block/blk-cgroup.c", "block/blk-cgroup.h", "block/blk-core.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.18"}, {"status": "unaffected", "version": "0", "lessThan": "5.18", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.28", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.7", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["block/blk-cgroup.c", "block/blk-cgroup.h", "block/blk-core.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac"}, {"url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76"}, {"url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn()."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.28", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.7", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:09:34.556Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35974", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:09:34.556Z", "dateReserved": "2024-05-17T13:50:33.143Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-20T09:42:01.114Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn()."}, {"lang": "es", "value": " En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bloque: corrige la corrupci\u00f3n de q->blkg_list durante la revinculaci\u00f3n del disco. Se pueden asignar/agregar m\u00faltiples instancias de gendisk para una \u00fanica cola de solicitudes en caso de volver a vincular el disco. Es posible que blkg a\u00fan permanezca en q->blkg_list cuando se llama a blkcg_init_disk() para volver a vincular, entonces q->blkg_list se corrompe. Solucione el problema de corrupci\u00f3n de la lista: - agregue blkg_init_queue() para inicializar q->blkg_list & q->blkcg_mutex solamente - mueva la llamada a blkg_init_queue() a blk_alloc_queue() La corrupci\u00f3n de la lista debe iniciarse desde la confirmaci\u00f3n f1c006f1c685 (\"blk-cgroup: sincronizar pd_free_fn() de blkg_free_workfn() y blkcg_deactivate_policy()\") que retrasa la eliminaci\u00f3n de blkg de q->blkg_list en blkg_free_workfn()."}], "id": "CVE-2024-35974", "lastModified": "2024-11-21T09:21:20.167", "metrics": {}, "published": "2024-05-20T10:15:12.147", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: block: fix q->blkg_list corruption during disk rebind", "id": "2281889", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281889"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblock: fix q->blkg_list corruption during disk rebind\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\nFix the list corruption issue by:\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn()."], "name": "CVE-2024-35974", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35974\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35974\nhttps://lore.kernel.org/linux-cve-announce/2024052024-CVE-2024-35974-7008@gregkh/T"], "threat_severity": "Low"}