CVE-2024-26935

{"id": "CVE-2024-26935", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-01T06:15:08.240", "references": [{"url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: corrige la regresi\u00f3n del directorio del host procfs no eliminado. el commit fc663711b944 (\"scsi: core: elimina el directorio /proc/scsi/${proc_name} anteriormente\") corrigi\u00f3 un error relacionado con carga/descarga de m\u00f3dulos, agregando una llamada a scsi_proc_hostdir_rm() en scsi_remove_host(). Pero eso llev\u00f3 a una posible llamada duplicada a la rutina hostdir_rm(), ya que tambi\u00e9n se llama desde scsi_host_dev_release(). Eso desencaden\u00f3 un informe de regresi\u00f3n, que luego se solucion\u00f3 mediante el commit be03df3d4bfe (\"scsi: core: Fix a procfs host directorio de eliminaci\u00f3n de regresi\u00f3n\"). La soluci\u00f3n simplemente elimin\u00f3 la llamada hostdir_rm() desde dev_release(). Pero sucede que este directorio proc se crea en scsi_host_alloc(), y esa funci\u00f3n se \"empareja\" con scsi_host_dev_release(), mientras que scsi_remove_host() se empareja con scsi_add_host(). En otras palabras, parece que la raz\u00f3n para eliminar el directorio proc en dev_release() fue para cubrir casos en los que se asign\u00f3 una estructura de host SCSI, pero la llamada a scsi_add_host() no ocurri\u00f3. Y ese patr\u00f3n existe en algunas rutas de error, por ejemplo. Syzkaller provoca que, al utilizar un dispositivo USB sin formato, se produzca un error en el controlador de almacenamiento USB, en usb_stor_probe2(). Al verificar esa ruta, podemos ver que la etiqueta BadDevice conduce a scsi_host_put() despu\u00e9s de una asignaci\u00f3n de host SCSI, pero no hay ninguna llamada a scsi_add_host() en dicha ruta. Eso lleva a mensajes como este en dmesg (y una fuga de la estructura del proceso del host SCSI): usb-storage 4-1:87.51: Dispositivo de almacenamiento masivo USB detectado proc_dir_entry 'scsi/usb-storage' ya registrado ADVERTENCIA: CPU: 1 PID : 3519 en fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 La soluci\u00f3n adecuada parece seguir llamando a scsi_proc_hostdir_rm() en dev_release(), pero gu\u00e1rdela con la verificaci\u00f3n de estado para SHOST_CREATED ; incluso hay un comentario en scsi_host_dev_release() que detalla que: dicho condicional est\u00e1 destinado a casos en los que se asign\u00f3 el host SCSI pero no hubo llamadas a {add,remove}_host(), como el caso del almacenamiento USB. Esto es lo que proponemos aqu\u00ed y con eso, la ruta de error del almacenamiento USB ya no activa la advertencia."}], "lastModified": "2025-12-23T18:54:14.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF3B8422-936F-4A18-84B2-64EA737CDEAF", "versionEndExcluding": "5.4.274", "versionStartIncluding": "5.4.238"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "916DA275-F436-4EBF-A77A-DAFC987444CB", "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.10.176"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "184AE1D2-F923-4E3C-A46A-B0747F0CAB35", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.15.104"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B5C250F-C8F2-4845-9D82-345AEC8F5A26", "versionEndExcluding": "6.1.84", "versionStartIncluding": "6.1.21"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "965D00B8-87E5-460E-A89A-5F5DF119D845", "versionEndExcluding": "6.3", "versionStartIncluding": "6.2.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "160B1C43-FE8E-4968-997F-93D3DEDBC39C", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.3.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C59BBC3-6495-4A77-9C82-55EC7CDF5E02", "versionEndExcluding": "6.8.3", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21D6F467-B848-453E-B1A4-BEF940E413A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC271202-7570-4505-89A4-D602D47BFD00"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D413BB6D-4F74-4C7D-9163-47786619EF53"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4D613FB-9976-4989-8C4A-567773373CEA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1240A34-749A-49F5-B8DD-C09441AD2228"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}