{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T16:10:39.656","vulnerabilities":[{"cve":{"id":"CVE-2024-53171","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-27T14:15:24.300","lastModified":"2025-11-03T21:17:36.410","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n\nAfter an insertion in TNC, the tree might split and cause a node to\nchange its `znode->parent`. A further deletion of other nodes in the\ntree (which also could free the nodes), the aforementioned node's\n`znode->cparent` could still point to a freed node. This\n`znode->cparent` may not be updated when getting nodes to commit in\n`ubifs_tnc_start_commit()`. This could then trigger a use-after-free\nwhen accessing the `znode->cparent` in `write_index()` in\n`ubifs_tnc_end_commit()`.\n\nThis can be triggered by running\n\n  rm -f /etc/test-file.bin\n  dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync\n\nin a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then\nreports:\n\n  BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950\n  Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153\n\n  Call trace:\n   dump_backtrace+0x0/0x340\n   show_stack+0x18/0x24\n   dump_stack_lvl+0x9c/0xbc\n   print_address_description.constprop.0+0x74/0x2b0\n   kasan_report+0x1d8/0x1f0\n   kasan_check_range+0xf8/0x1a0\n   memcpy+0x84/0xf4\n   ubifs_tnc_end_commit+0xa5c/0x1950\n   do_commit+0x4e0/0x1340\n   ubifs_bg_thread+0x234/0x2e0\n   kthread+0x36c/0x410\n   ret_from_fork+0x10/0x20\n\n  Allocated by task 401:\n   kasan_save_stack+0x38/0x70\n   __kasan_kmalloc+0x8c/0xd0\n   __kmalloc+0x34c/0x5bc\n   tnc_insert+0x140/0x16a4\n   ubifs_tnc_add+0x370/0x52c\n   ubifs_jnl_write_data+0x5d8/0x870\n   do_writepage+0x36c/0x510\n   ubifs_writepage+0x190/0x4dc\n   __writepage+0x58/0x154\n   write_cache_pages+0x394/0x830\n   do_writepages+0x1f0/0x5b0\n   filemap_fdatawrite_wbc+0x170/0x25c\n   file_write_and_wait_range+0x140/0x190\n   ubifs_fsync+0xe8/0x290\n   vfs_fsync_range+0xc0/0x1e4\n   do_fsync+0x40/0x90\n   __arm64_sys_fsync+0x34/0x50\n   invoke_syscall.constprop.0+0xa8/0x260\n   do_el0_svc+0xc8/0x1f0\n   el0_svc+0x34/0x70\n   el0t_64_sync_handler+0x108/0x114\n   el0t_64_sync+0x1a4/0x1a8\n\n  Freed by task 403:\n   kasan_save_stack+0x38/0x70\n   kasan_set_track+0x28/0x40\n   kasan_set_free_info+0x28/0x4c\n   __kasan_slab_free+0xd4/0x13c\n   kfree+0xc4/0x3a0\n   tnc_delete+0x3f4/0xe40\n   ubifs_tnc_remove_range+0x368/0x73c\n   ubifs_tnc_remove_ino+0x29c/0x2e0\n   ubifs_jnl_delete_inode+0x150/0x260\n   ubifs_evict_inode+0x1d4/0x2e4\n   evict+0x1c8/0x450\n   iput+0x2a0/0x3c4\n   do_unlinkat+0x2cc/0x490\n   __arm64_sys_unlinkat+0x90/0x100\n   invoke_syscall.constprop.0+0xa8/0x260\n   do_el0_svc+0xc8/0x1f0\n   el0_svc+0x34/0x70\n   el0t_64_sync_handler+0x108/0x114\n   el0t_64_sync+0x1a4/0x1a8\n\nThe offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free\nwhen a node becomes root in TNC but still has a `cparent` to an already\nfreed node. More specifically, consider the following TNC:\n\n         zroot\n         /\n        /\n      zp1\n      /\n     /\n    zn\n\nInserting a new node `zn_new` with a key smaller then `zn` will trigger\na split in `tnc_insert()` if `zp1` is full:\n\n         zroot\n         /   \\\n        /     \\\n      zp1     zp2\n      /         \\\n     /           \\\n  zn_new          zn\n\n`zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still\npoints to `zp1`.\n\nNow, consider a removal of all the nodes _except_ `zn`. Just when\n`tnc_delete()` is about to delete `zroot` and `zp2`:\n\n         zroot\n             \\\n              \\\n              zp2\n                \\\n                 \\\n                 zn\n\n`zroot` and `zp2` get freed and the tree collapses:\n\n           zn\n\n`zn` now becomes the new `zroot`.\n\n`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and\n`write_index()` will check its `znode->cparent` that wrongly points to\nthe already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called\nwith `znode->cparent->zbranch[znode->iip].hash` that triggers the\nuse-after-free!\n\nFix this by explicitly setting `znode->cparent` to `NULL` in\n`get_znodes_to_commit()` for the root node. The search for the dirty\nnodes\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ubifs: authentication: Fix use-after-free en ubifs_tnc_end_commit Después de una inserción en TNC, el árbol podría dividirse y hacer que un nodo cambie su `znode->parent`. Una eliminación adicional de otros nodos en el árbol (que también podría liberar los nodos), el `znode->cparent` del nodo mencionado anteriormente aún podría apuntar a un nodo liberado. Este `znode->cparent` puede no actualizarse al hacer que los nodos se comprometan en `ubifs_tnc_start_commit()`. Esto podría desencadenar un use-after-free al acceder a `znode->cparent` en `write_index()` en `ubifs_tnc_end_commit()`. Esto se puede activar ejecutando rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync en un bucle y con `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN luego informa: ERROR: KASAN: use-after-free en ubifs_tnc_end_commit+0xa5c/0x1950 Escritura de tamaño 32 en la dirección ffffff800a3af86c por la tarea ubifs_bgt0_20/153 Rastreo de llamadas: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 Asignado por la tarea 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 escritura_caché_páginas+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c intervalo_de_escritura_y_espera_de_archivo+0x140/0x190 ubifs_fsync+0xe8/0x290 intervalo_de_fsync_vfs+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invocar_llamada_al_sistema.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Liberado por la tarea 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 El `memcpy()` ofensivo en `ubifs_copy_hash()` tiene un use-after-free cuando un nodo se convierte en raíz en TNC pero aún tiene un `cparent` para un nodo ya liberado. Más específicamente, considere la siguiente TNC: zroot // zp1 // zn Insertar un nuevo nodo `zn_new` con una clave menor que `zn` activará una división en `tnc_insert()` si `zp1` está lleno: zroot / \\ / \\ zp1 zp2 / \\ / \\ zn_new zn `zn->parent` ahora se ha movido a `zp2`, *pero* `zn->cparent` todavía apunta a `zp1`. Ahora, considere una eliminación de todos los nodos _excepto_ `zn`. Justo cuando `tnc_delete()` está a punto de eliminar `zroot` y `zp2`: zroot \\ \\ zp2 \\ \\ zn `zroot` y `zp2` se liberan y el árbol colapsa: zn `zn` ahora se convierte en el nuevo `zroot`. `get_znodes_to_commit()` ahora solo encontrará `zn`, el nuevo `zroot`, y `write_index()` verificará su `znode->cparent` que apunta erróneamente al `zp1` ya liberado. Por lo tanto, `ubifs_copy_hash()` se llama erróneamente con `znode->cparent->zbranch[znode->iip].hash` que activa el use-after-free. Solucione esto configurando explícitamente `znode->cparent` en `NULL` en `get_znodes_to_commit()` para el nodo raíz. La búsqueda de los nodos sucios ---truncada---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.287","matchCriteriaId":"E4B15788-D35E-4E5B-A9C0-070AE3729B34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.231","matchCriteriaId":"B5C644CC-2BD7-4E32-BC54-8DCC7ABE9935"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.174","matchCriteriaId":"419FD073-1517-4FD5-8158-F94BC68A1E89"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.120","matchCriteriaId":"09AC6122-E2A4-40FE-9D33-268A1B2EC265"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.64","matchCriteriaId":"CA16DEE3-ABEC-4449-9F4A-7A3DC4FC36C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.11.11","matchCriteriaId":"21434379-192D-472F-9B54-D45E3650E893"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2","matchCriteriaId":"D8882B1B-2ABC-4838-AC1D-DBDBB5764776"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01d3a2293d7e4edfff96618c15727db7e51f11b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2497479aecebe869d23a0064e0fd1a03e34f0e2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/398a91599d263e41c5f95a2fd4ebdb6280b5c6c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4617fb8fc15effe8eda4dd898d4e33eb537a7140","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d9807048b851d7a58d5bd089c16254af896e4df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/74981f7577d183acad1cd58f74c10d263711a215","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/daac4aa1825de0dbc1a6eede2fa7f9fc53f14223","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}