CVE-2024-56693

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.0-rc3+

Description A vulnerability in the Linux kernel has been resolved, which could cause a use-after-free (UAF) issue. The problem occurs when the brd init function calls brd alloc before the register blkdev function succeeds, and then releases successfully created disks when brd init returns an error. This can lead to a UAF situation in certain cases. The vulnerability was discovered during fault injection testing, which revealed errors such as "unable to handle page fault for address" and "Oops" messages. The loop init function is used as a reference to fix this problem.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix, which defers automatic disk creation until module initialization succeeds. Additionally, the brd devices mutex has been reintroduced to help serialize modifications to the brd list. For versions prior to 6.12.0-rc3+, apply the necessary patches or updates to ensure the brd init function is modified to follow the same logic as the loop init function, and the brd devices mutex is used to prevent concurrent modifications to the brd list.