Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56631— scsi: sg: Fix slab-use-after-free read in sg_release()

EPSS 0.02% · P6

Affected Version Matrix 17

VendorProductVersion RangeStatus
LinuxLinuxcc833acbee9db5ca8c6162b015b4c93863c6f821< e19acb1926c4a1f30ee1ec84d8afba2d975bd534affected
cc833acbee9db5ca8c6162b015b4c93863c6f821< 285ce1f89f8d414e7eecab5ef5118cd512596318affected
cc833acbee9db5ca8c6162b015b4c93863c6f821< 198b89dd5a595ee3f96e5ce5c448b0484cd0e53caffected
cc833acbee9db5ca8c6162b015b4c93863c6f821< 275b8347e21ab8193e93223a8394a806e4ba8918affected
cc833acbee9db5ca8c6162b015b4c93863c6f821< 59b30afa578637169e2819536bb66459fdddc39daffected
cc833acbee9db5ca8c6162b015b4c93863c6f821< 1f5e2f1ca5875728fcf62bc1a054707444ab4960affected
cc833acbee9db5ca8c6162b015b4c93863c6f821< f10593ad9bc36921f623361c9e3dd96bd52d85eeaffected
3a27c0defb0315760100f8b1adc7c4acbe04c884affected
… +9 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-56631

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
scsi: sg: Fix slab-use-after-free read in sg_release()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于net模块中netns拆卸期间struct net的最终释放延迟。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux cc833acbee9db5ca8c6162b015b4c93863c6f821 ~ e19acb1926c4a1f30ee1ec84d8afba2d975bd534 -
LinuxLinux 3.17 -

II. Public POCs for CVE-2024-56631

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-56631

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-12-27 · 221 CVEs total

CVE-2024-56606af_packet: avoid erroring out after sock_init_data() in packet_create()
CVE-2024-56592bpf: Call free_htab_elem() after htab_unlock_bucket()
CVE-2024-56594drm/amdgpu: set the right AMDGPU sg segment limitation
CVE-2024-56595jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
CVE-2024-56596jfs: fix array-index-out-of-bounds in jfs_readdir
CVE-2024-56597jfs: fix shift-out-of-bounds in dbSplit
CVE-2024-56598jfs: array-index-out-of-bounds fix in dtReadFirst
CVE-2024-56599wifi: ath10k: avoid NULL pointer error during sdio remove
CVE-2024-56601net: inet: do not leave a dangling sk pointer in inet_create()
CVE-2024-56600net: inet6: do not leave a dangling sk pointer in inet6_create()
CVE-2024-56602net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()
CVE-2024-56603net: af_can: do not leave a dangling sk pointer in can_create()
CVE-2024-56604Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()
CVE-2024-56605Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()
CVE-2024-56617cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU
CVE-2024-56614xsk: fix OOB map writes when deleting elements
CVE-2024-56615bpf: fix OOB devmap writes when deleting elements
CVE-2024-56616drm/dp_mst: Fix MST sideband message body length check
CVE-2024-56613sched/numa: fix memory leak due to the overwritten vma->numab_state
CVE-2024-56618pmdomain: imx: gpcv2: Adjust delay after power up handshake

Showing top 20 of 221 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-56631

No comments yet

Leave a comment