ID
VAR-202410-2068
CVE
CVE-2024-47706
TITLE
Linux of Linux Kernel Vulnerability in using free memory in
Trust: 0.8
DESCRIPTION
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated---. Linux of Linux Kernel Exists in a vulnerability related to the use of freed memory.Service operation interruption (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on SINEC OS with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Multiple vulnerabilities exist in third-party components prior to SIEMENS SINEC OS V3.2. These vulnerabilities could be exploited to corrupt values, leading to undefined behavior or security issues
Trust: 2.16
IOT TAXONOMY
| category: | ['ICS'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | linux | model: | kernel | scope: | lt | version: | 6.11.2 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 6.11 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 5.16 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | lt | version: | 6.6.54 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | lt | version: | 6.10.13 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 5.11 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | lt | version: | 6.1.113 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 6.7 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 4.12 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | gte | version: | 6.2 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | lt | version: | 5.10.227 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | lt | version: | 5.15.168 | Trust: 1.0 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 6.11 that's all 6.11.2 | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 5.11 that's all 5.15.168 | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 5.16 that's all 6.1.113 | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | - | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 6.2 that's all 6.6.54 | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 6.7 that's all 6.10.13 | Trust: 0.8 |
| vendor: | linux | model: | kernel | scope: | eq | version: | 4.12 that's all 5.10.227 | Trust: 0.8 |
| vendor: | siemens | model: | ruggedcom rst2428p | scope: | lt | version: | v3.2 | Trust: 0.6 |
| vendor: | siemens | model: | scalance xc-300/xr-300/xc-400/xr-500wg/xr-500 family | scope: | lt | version: | v3.2 | Trust: 0.6 |
| vendor: | siemens | model: | scalance xcm-/xrm-/xch-/xrh-300 family | scope: | lt | version: | v3.2 | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-416 | Trust: 1.0 |
| problemtype: | Use of freed memory (CWE-416) [NVD evaluation ] | Trust: 0.8 |
PATCH
| title: | Linux Kernel Archives | url: | https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7 | Trust: 0.8 |
| title: | Patch for Multiple vulnerabilities exist in third-party components of SIEMENS SINEC OS V3.2 and earlier | url: | https://www.cnvd.org.cn/patchInfo/show/723061 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2024-47706 | Trust: 2.6 |
| db: | SIEMENS | id: | SSA-355557 | Trust: 1.6 |
| db: | SIEMENS | id: | SSA-265688 | Trust: 1.0 |
| db: | JVN | id: | JVNVU92169998 | Trust: 0.8 |
| db: | ICS CERT | id: | ICSA-25-226-07 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2024-011387 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2025-19350 | Trust: 0.6 |
REFERENCES
| url: | https://cert-portal.siemens.com/productcert/html/ssa-355557.html | Trust: 1.6 |
| url: | https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320 | Trust: 1.0 |
| url: | https://cert-portal.siemens.com/productcert/html/ssa-265688.html | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa | Trust: 1.0 |
| url: | https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html | Trust: 1.0 |
| url: | https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0 | Trust: 1.0 |
| url: | https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7 | Trust: 1.0 |
| url: | https://jvn.jp/vu/jvnvu92169998/index.html | Trust: 0.8 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2024-47706 | Trust: 0.8 |
| url: | https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07 | Trust: 0.8 |
SOURCES
| db: | CNVD | id: | CNVD-2025-19350 |
| db: | JVNDB | id: | JVNDB-2024-011387 |
| db: | NVD | id: | CVE-2024-47706 |
LAST UPDATE DATE
2026-06-19T20:13:53.605000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2025-19350 | date: | 2025-08-22T00:00:00 |
| db: | JVNDB | id: | JVNDB-2024-011387 | date: | 2025-09-09T01:32:00 |
| db: | NVD | id: | CVE-2024-47706 | date: | 2026-05-12T12:17:14.697 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2025-19350 | date: | 2025-08-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2024-011387 | date: | 2024-10-29T00:00:00 |
| db: | NVD | id: | CVE-2024-47706 | date: | 2024-10-21T12:15:07.120 |