CVE-2024-53170: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [in ---truncated---
AI Analysis
Technical Summary
CVE-2024-53170 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's block layer, specifically within the multi-queue block layer (blk-mq) subsystem that handles I/O request management. The flaw arises due to improper handling of flush request queues during SCSI device probing and queue destruction. The vulnerability stems from a logic error introduced by a prior commit (aec89dc5d421) that cleared the QUEUE_FLAG_INIT_DONE flag in del_gendisk, but blk_mq_clear_flush_rq_mapping() was not called during SCSI probe because it checks blk_queue_init_done(). This leads to flush request queues not being cleared from the tags->rqs[] array during blk_mq_destroy_queue(), resulting in stale pointers referencing freed memory. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free in blk_mq_find_and_get_req(), triggered by a kworker thread during blk_mq_timeout_work. The stack trace shows the issue occurs when iterating over tags and request queues, causing a read from freed memory. This vulnerability affects Linux kernel version 6.6.0 and likely other 6.x versions with the implicated commit. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), with low attack complexity (AC:L). The impact is critical as it allows an attacker with limited privileges to cause memory corruption, potentially leading to privilege escalation, arbitrary code execution in kernel context, or denial of service via kernel crashes. The vulnerability is classified under CWE-416 (Use After Free). No known exploits are currently reported in the wild, but the severity and kernel-level impact make it a significant threat. The vulnerability has a CVSS v3.1 score of 7.8, reflecting high confidentiality, integrity, and availability impact due to kernel memory corruption risks. The issue is technical and subtle, requiring kernel debugging and patching to remediate.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux-based servers, cloud infrastructure, and embedded systems using affected kernel versions. The use-after-free can be exploited by local attackers or malicious processes to escalate privileges, gain unauthorized kernel-level code execution, or cause system instability and denial of service. This could lead to data breaches, disruption of critical services, and compromise of sensitive information. Organizations running SCSI storage devices or virtualized environments with Linux kernels in the 6.x series are particularly vulnerable. Given the widespread use of Linux in European government, financial, telecommunications, and industrial sectors, exploitation could impact critical infrastructure and enterprise IT environments. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. The absence of known exploits provides a window for proactive patching, but the high severity demands urgent attention to prevent potential targeted attacks or lateral movement within networks.
Mitigation Recommendations
1. Immediate application of official Linux kernel patches or updates that address CVE-2024-53170 is the primary mitigation. Monitor Linux kernel mailing lists and vendor advisories for patched kernel releases. 2. For organizations unable to patch immediately, consider disabling or limiting use of SCSI devices or block multi-queue features if feasible, to reduce attack surface. 3. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4. Restrict local user privileges and enforce strict access controls to minimize the risk of local exploitation. 5. Monitor system logs and kernel messages for anomalies related to blk-mq or kworker threads that might indicate exploitation attempts. 6. Use security modules like SELinux or AppArmor to confine processes and limit kernel interaction scope. 7. Conduct thorough vulnerability scanning and penetration testing focused on kernel vulnerabilities to identify exposure. 8. Maintain robust incident response plans to quickly isolate and remediate compromised systems if exploitation is suspected.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-53170: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [in ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53170 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's block layer, specifically within the multi-queue block layer (blk-mq) subsystem that handles I/O request management. The flaw arises due to improper handling of flush request queues during SCSI device probing and queue destruction. The vulnerability stems from a logic error introduced by a prior commit (aec89dc5d421) that cleared the QUEUE_FLAG_INIT_DONE flag in del_gendisk, but blk_mq_clear_flush_rq_mapping() was not called during SCSI probe because it checks blk_queue_init_done(). This leads to flush request queues not being cleared from the tags->rqs[] array during blk_mq_destroy_queue(), resulting in stale pointers referencing freed memory. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free in blk_mq_find_and_get_req(), triggered by a kworker thread during blk_mq_timeout_work. The stack trace shows the issue occurs when iterating over tags and request queues, causing a read from freed memory. This vulnerability affects Linux kernel version 6.6.0 and likely other 6.x versions with the implicated commit. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), with low attack complexity (AC:L). The impact is critical as it allows an attacker with limited privileges to cause memory corruption, potentially leading to privilege escalation, arbitrary code execution in kernel context, or denial of service via kernel crashes. The vulnerability is classified under CWE-416 (Use After Free). No known exploits are currently reported in the wild, but the severity and kernel-level impact make it a significant threat. The vulnerability has a CVSS v3.1 score of 7.8, reflecting high confidentiality, integrity, and availability impact due to kernel memory corruption risks. The issue is technical and subtle, requiring kernel debugging and patching to remediate.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux-based servers, cloud infrastructure, and embedded systems using affected kernel versions. The use-after-free can be exploited by local attackers or malicious processes to escalate privileges, gain unauthorized kernel-level code execution, or cause system instability and denial of service. This could lead to data breaches, disruption of critical services, and compromise of sensitive information. Organizations running SCSI storage devices or virtualized environments with Linux kernels in the 6.x series are particularly vulnerable. Given the widespread use of Linux in European government, financial, telecommunications, and industrial sectors, exploitation could impact critical infrastructure and enterprise IT environments. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. The absence of known exploits provides a window for proactive patching, but the high severity demands urgent attention to prevent potential targeted attacks or lateral movement within networks.
Mitigation Recommendations
1. Immediate application of official Linux kernel patches or updates that address CVE-2024-53170 is the primary mitigation. Monitor Linux kernel mailing lists and vendor advisories for patched kernel releases. 2. For organizations unable to patch immediately, consider disabling or limiting use of SCSI devices or block multi-queue features if feasible, to reduce attack surface. 3. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 4. Restrict local user privileges and enforce strict access controls to minimize the risk of local exploitation. 5. Monitor system logs and kernel messages for anomalies related to blk-mq or kworker threads that might indicate exploitation attempts. 6. Use security modules like SELinux or AppArmor to confine processes and limit kernel interaction scope. 7. Conduct thorough vulnerability scanning and penetration testing focused on kernel vulnerabilities to identify exposure. 8. Maintain robust incident response plans to quickly isolate and remediate compromised systems if exploitation is suspected.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.006Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdee01
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:43:04 PM
Last updated: 8/12/2025, 10:52:36 AM
Views: 16
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.