CVE-2024-42152: nvmet: fix a possible leak when destroy a ctrl during qp establishment

Published Jul 30, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix a possible leak when destroy a ctrl during qp establishment

In nvmetsqdestroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl.

However, a small window is possible where nvmetsqdestroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But before killandconfirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmetsqdestroy. This prevented the final reference drop on the ctrl.

Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that.

This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window.

Other sources

Linux Kernel is vulnerable to a denial of service, caused by memory leak in nvmet. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

23 affected componentsFixes available
Linux Linux kernel>=4.8<5.10.222
Linux Linux kernel>=5.11<5.15.163
Linux Linux kernel>=5.16<6.1.98
Linux Linux kernel>=6.2<6.6.39
Linux Linux kernel>=6.7<6.9.9
Linux Linux kernel=6.10-rc1
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
redhat/kernel<5.10.222
5.10.222
redhat/kernel<5.15.163
5.15.163
redhat/kernel<6.1.98
6.1.98
redhat/kernel<6.6.39
6.6.39
redhat/kernel<6.9.9
6.9.9
redhat/kernel<6.10
6.10
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
debian/linux-6.1
6.1.129-1~deb11u1
Microsoft cbl2 kernel 5.15.162.2-1
Patch available
Microsoft cbl2 kernel 5.15.162.2-1
Patch available
Microsoft azl3 kernel 6.6.43.1-7
Patch available
Microsoft cbl2 kernel 5.15.164.1-1
Patch available
Microsoft azl3 kernel 6.6.35.1-5
Patch available

Remediation

Patch Available

https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa

Patch Available

https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1

Patch Available

https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33

Patch Available

https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da

Patch Available

https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5

Patch Available

https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4

Patch Available

https://git.kernel.org/linus/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Patch Available

https://git.kernel.org/linus/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4

Event History

Jul 30, 2024
CVE Published
via MITRE·07:46 AM
Data Sourced
via MITRE·07:46 AM
Description
Data Sourced
via NVD·08:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Aug 16, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
SeverityAffected Software
Updated
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
May 1, 2025
Data Sourced
via Ubuntu·12:34 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-42152?

CVE-2024-42152 has a high severity rating due to its potential to leak sensitive data during controller destruction in the Linux kernel.

2

How do I fix CVE-2024-42152?

To fix CVE-2024-42152, upgrade to the patched kernel versions 5.10.223-1, 5.15.163, 6.1.123-1, or higher.

3

What versions of the Linux kernel are affected by CVE-2024-42152?

CVE-2024-42152 affects Linux kernel versions prior to 5.10.223, 5.15.163, 6.1.98, 6.6.39, 6.9.9, and 6.10.

4

What is the nature of the vulnerability described in CVE-2024-42152?

CVE-2024-42152 involves a possible information leak when destroying a controller during queue pair establishment in the Linux nvmet subsystem.

5

Is CVE-2024-42152 exploitative in nature?

Yes, CVE-2024-42152 has the potential to be exploited for unauthorized data access if not remedied.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203