CVE-2024-35979: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: raid1: fix use-after-free for original bio in raid1_write_request() r1_bio->bios[] is used to record new bios that will be issued to underlying disks, however, in raid1_write_request(), r1_bio->bios[] will set to the original bio temporarily. Meanwhile, if blocked rdev is set, free_r1bio() will be called causing that all r1_bio->bios[] to be freed: raid1_write_request() r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL for (i = 0; i < disks; i++) -> for each rdev in conf // first rdev is normal r1_bio->bios[0] = bio; -> set to original bio // second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break if (blocked_rdev) free_r1bio() put_all_bios() bio_put(r1_bio->bios[0]) -> original bio is freed Test scripts: mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state Test result: BUG bio-264 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869 kmem_cache_alloc+0x324/0x480 mempool_alloc_slab+0x24/0x50 mempool_alloc+0x6e/0x220 bio_alloc_bioset+0x1af/0x4d0 blkdev_direct_IO+0x164/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 io_submit_one+0x5ca/0xb70 __do_sys_io_submit+0x86/0x270 __x64_sys_io_submit+0x22/0x30 do_syscall_64+0xb1/0x210 entry_SYSCALL_64_after_hwframe+0x6c/0x74 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869 kmem_cache_free+0x28c/0x550 mempool_free_slab+0x1f/0x30 mempool_free+0x40/0x100 bio_free+0x59/0x80 bio_put+0xf0/0x220 free_r1bio+0x74/0xb0 raid1_make_request+0xadf/0x1150 md_handle_request+0xc7/0x3b0 md_submit_bio+0x76/0x130 __submit_bio+0xd8/0x1d0 submit_bio_noacct_nocheck+0x1eb/0x5c0 submit_bio_noacct+0x169/0xd40 submit_bio+0xee/0x1d0 blkdev_direct_IO+0x322/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 Since that bios for underlying disks are not allocated yet, fix this problem by using mempool_free() directly to free the r1_bio.
AI Analysis
Technical Summary
CVE-2024-35979 is a use-after-free vulnerability identified in the Linux kernel's RAID1 implementation, specifically within the raid1_write_request() function. RAID1 is a common disk mirroring technology used to provide redundancy by writing identical data to multiple disks. The vulnerability arises due to improper handling of bio structures, which represent block I/O operations in the kernel. In the affected code, the r1_bio->bios[] array temporarily holds the original bio pointer during the write request process. If a blocked RAID device (rdev) is detected, the function free_r1bio() is called, which frees all bios in r1_bio->bios[], including the original bio that was not yet allocated for underlying disks. This premature freeing leads to a use-after-free condition, where the kernel attempts to access memory that has already been freed, causing potential kernel crashes (BUG bio-264) and undefined behavior. The vulnerability was demonstrated using mdadm to create a RAID1 array and fio to generate write I/O, combined with blocking one of the RAID devices via sysfs, triggering the bug. The root cause is that the bios for underlying disks are not allocated yet when free_r1bio() is called, and the fix involves directly using mempool_free() to free the r1_bio structure safely without freeing the original bio prematurely. This flaw can lead to kernel panics or memory corruption, impacting system stability and potentially allowing attackers to cause denial of service or escalate privileges if exploited in conjunction with other vulnerabilities. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux kernels with RAID1 configurations, especially in data centers, cloud infrastructure, and enterprise storage solutions. The use-after-free can cause kernel crashes leading to denial of service, disrupting critical services and operations. In environments where RAID1 is used for redundancy and high availability, such instability can result in data unavailability and operational downtime. While direct exploitation for privilege escalation is not confirmed, the instability could be leveraged by attackers to cause persistent denial of service or combined with other vulnerabilities for more severe attacks. Organizations relying on Linux-based storage servers, virtualization hosts, or container platforms that utilize RAID1 are particularly at risk. The impact extends to sectors such as finance, healthcare, telecommunications, and government services across Europe, where data integrity and availability are paramount. Additionally, the complexity of the bug means that it could be triggered unintentionally by legitimate workloads, causing unexpected outages.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2024-35979 as soon as they become available. Until patches are applied, administrators should avoid using RAID1 configurations with blocked or faulty devices that could trigger this vulnerability. Monitoring RAID device states and avoiding manual blocking of devices in production environments can reduce risk. Implementing kernel crash dump analysis and proactive monitoring of system logs for signs of bio-related kernel errors can help detect attempts to exploit or trigger the vulnerability. For critical systems, consider temporarily migrating data off RAID1 arrays or using alternative RAID levels that do not involve the affected code path. Additionally, organizations should review their incident response plans to handle potential denial of service scenarios caused by kernel panics. Engaging with Linux distribution vendors for backported patches and security advisories is recommended to ensure timely remediation. Finally, testing updates in staging environments before deployment will help prevent unexpected disruptions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35979: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: raid1: fix use-after-free for original bio in raid1_write_request() r1_bio->bios[] is used to record new bios that will be issued to underlying disks, however, in raid1_write_request(), r1_bio->bios[] will set to the original bio temporarily. Meanwhile, if blocked rdev is set, free_r1bio() will be called causing that all r1_bio->bios[] to be freed: raid1_write_request() r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL for (i = 0; i < disks; i++) -> for each rdev in conf // first rdev is normal r1_bio->bios[0] = bio; -> set to original bio // second rdev is blocked if (test_bit(Blocked, &rdev->flags)) break if (blocked_rdev) free_r1bio() put_all_bios() bio_put(r1_bio->bios[0]) -> original bio is freed Test scripts: mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \ -iodepth=128 -name=test -direct=1 echo blocked > /sys/block/md0/md/rd2/state Test result: BUG bio-264 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869 kmem_cache_alloc+0x324/0x480 mempool_alloc_slab+0x24/0x50 mempool_alloc+0x6e/0x220 bio_alloc_bioset+0x1af/0x4d0 blkdev_direct_IO+0x164/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 io_submit_one+0x5ca/0xb70 __do_sys_io_submit+0x86/0x270 __x64_sys_io_submit+0x22/0x30 do_syscall_64+0xb1/0x210 entry_SYSCALL_64_after_hwframe+0x6c/0x74 Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869 kmem_cache_free+0x28c/0x550 mempool_free_slab+0x1f/0x30 mempool_free+0x40/0x100 bio_free+0x59/0x80 bio_put+0xf0/0x220 free_r1bio+0x74/0xb0 raid1_make_request+0xadf/0x1150 md_handle_request+0xc7/0x3b0 md_submit_bio+0x76/0x130 __submit_bio+0xd8/0x1d0 submit_bio_noacct_nocheck+0x1eb/0x5c0 submit_bio_noacct+0x169/0xd40 submit_bio+0xee/0x1d0 blkdev_direct_IO+0x322/0x8a0 blkdev_write_iter+0x309/0x440 aio_write+0x139/0x2f0 Since that bios for underlying disks are not allocated yet, fix this problem by using mempool_free() directly to free the r1_bio.
AI-Powered Analysis
Technical Analysis
CVE-2024-35979 is a use-after-free vulnerability identified in the Linux kernel's RAID1 implementation, specifically within the raid1_write_request() function. RAID1 is a common disk mirroring technology used to provide redundancy by writing identical data to multiple disks. The vulnerability arises due to improper handling of bio structures, which represent block I/O operations in the kernel. In the affected code, the r1_bio->bios[] array temporarily holds the original bio pointer during the write request process. If a blocked RAID device (rdev) is detected, the function free_r1bio() is called, which frees all bios in r1_bio->bios[], including the original bio that was not yet allocated for underlying disks. This premature freeing leads to a use-after-free condition, where the kernel attempts to access memory that has already been freed, causing potential kernel crashes (BUG bio-264) and undefined behavior. The vulnerability was demonstrated using mdadm to create a RAID1 array and fio to generate write I/O, combined with blocking one of the RAID devices via sysfs, triggering the bug. The root cause is that the bios for underlying disks are not allocated yet when free_r1bio() is called, and the fix involves directly using mempool_free() to free the r1_bio structure safely without freeing the original bio prematurely. This flaw can lead to kernel panics or memory corruption, impacting system stability and potentially allowing attackers to cause denial of service or escalate privileges if exploited in conjunction with other vulnerabilities. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux kernels with RAID1 configurations, especially in data centers, cloud infrastructure, and enterprise storage solutions. The use-after-free can cause kernel crashes leading to denial of service, disrupting critical services and operations. In environments where RAID1 is used for redundancy and high availability, such instability can result in data unavailability and operational downtime. While direct exploitation for privilege escalation is not confirmed, the instability could be leveraged by attackers to cause persistent denial of service or combined with other vulnerabilities for more severe attacks. Organizations relying on Linux-based storage servers, virtualization hosts, or container platforms that utilize RAID1 are particularly at risk. The impact extends to sectors such as finance, healthcare, telecommunications, and government services across Europe, where data integrity and availability are paramount. Additionally, the complexity of the bug means that it could be triggered unintentionally by legitimate workloads, causing unexpected outages.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2024-35979 as soon as they become available. Until patches are applied, administrators should avoid using RAID1 configurations with blocked or faulty devices that could trigger this vulnerability. Monitoring RAID device states and avoiding manual blocking of devices in production environments can reduce risk. Implementing kernel crash dump analysis and proactive monitoring of system logs for signs of bio-related kernel errors can help detect attempts to exploit or trigger the vulnerability. For critical systems, consider temporarily migrating data off RAID1 arrays or using alternative RAID levels that do not involve the affected code path. Additionally, organizations should review their incident response plans to handle potential denial of service scenarios caused by kernel panics. Engaging with Linux distribution vendors for backported patches and security advisories is recommended to ensure timely remediation. Finally, testing updates in staging environments before deployment will help prevent unexpected disruptions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.144Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2368
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 8:55:29 AM
Last updated: 7/26/2025, 4:29:53 AM
Views: 10
Related Threats
CVE-2025-3892: CWE-250: Execution with Unnecessary Privileges in Axis Communications AB AXIS OS
MediumCVE-2025-30027: CWE-1287: Improper Validation of Specified Type of Input in Axis Communications AB AXIS OS
MediumCVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumCVE-2025-8314: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emarket-design Project Management, Bug and Issue Tracking Plugin – Software Issue Manager
MediumCVE-2025-8059: CWE-862 Missing Authorization in bplugins B Blocks – The ultimate block collection
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.