CVE-2024-46786
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF
The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows:
================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs]
Therefore delete fscache_cookie_lru_timer when removing the fscahe module.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 12bb21a29c19aae50cfad4e2bb5c943108f34a7d < c1fc36d5470335546c45799d94d7bb2cbc09e8b7 | affected |
| Linux | Linux | 12bb21a29c19aae50cfad4e2bb5c943108f34a7d < e0d724932ad12e3528f4ce97fc0f6078d0cce4bc | affected |
| Linux | Linux | 12bb21a29c19aae50cfad4e2bb5c943108f34a7d < 0a11262549ac2ac6fb98c7cd40a67136817e5a52 | affected |
| Linux | Linux | 12bb21a29c19aae50cfad4e2bb5c943108f34a7d < 72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f | affected |
| Linux | Linux | 5.17 | affected |
| Linux | Linux | 0 < 5.17 | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.51 <= 6.6.* | unaffected |
| Linux | Linux | 6.10.10 <= 6.10.* | unaffected |
| Linux | Linux | 6.11 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/c1fc36d5470335546c45799d94d7bb2cbc09e8b7
- https://git.kernel.org/stable/c/e0d724932ad12e3528f4ce97fc0f6078d0cce4bc
- https://git.kernel.org/stable/c/0a11262549ac2ac6fb98c7cd40a67136817e5a52
- https://git.kernel.org/stable/c/72a6e22c604c95ddb3b10b5d3bb85b6ff4dbc34f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.