CVE-2024-27392 nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()

2024-05-0113:05:20

Linux

github.com

linux kernel

vulnerability resolved

nvme driver

double-free

struct nvme_id_ns

ns_update_nuse

kasan

blktests nvme/045

proposed patches

kernel v6.8-rc7

fix

identify_ns

pointer

memory corruption

security issue

AI Score

6.5

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()

When nvme_identify_ns() fails, it frees the pointer to the struct
nvme_id_ns before it returns. However, ns_update_nuse() calls kfree()
for the pointer even when nvme_identify_ns() fails. This results in
KASAN double-free, which was observed with blktests nvme/045 with
proposed patches [1] on the kernel v6.8-rc7. Fix the double-free by
skipping kfree() when nvme_identify_ns() fails.