CVE-2024-49854
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for accessing waker_bfqq after splitting
After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe.
Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e0c20d88b7dce85d2703bb6ba77bf359959675cd < 63a07379fdb6c72450cb05294461c6016b8b7726 | affected |
| Linux | Linux | de6c5e3a456019d2182e345730e59721714fa0b5 < de0456460f2abf921e356ed2bd8da87a376680bd | affected |
| Linux | Linux | 19f3bec2ac4be329b9bd12b18a989b867618d2d8 < 0780451f03bf518bc032a7c584de8f92e2d39d7f | affected |
| Linux | Linux | 13b3d0e8cb121f99b11918a0d4bcc1ce4647d352 < 0b8bda0ff17156cd3f60944527c9d8c9f99f1583 | affected |
| Linux | Linux | 4780f50ea50cfe8e89fc3747bf3dd155488433bb < cae58d19121a70329cf971359e2518c93fec04fe | affected |
| Linux | Linux | 42c306ed723321af4003b2a41bb73728cab54f85 < 1ba0403ac6447f2d63914fb760c44a3b19c44eaf | affected |
| Linux | Linux | 9e813033594b141f61ff0ef0cfaaef292564b041 | affected |
| Linux | Linux | 3a5f45a4ad4e1fd36b0a998eef03d76a4f02a2a8 | affected |
| Linux | Linux | 3630a18846c7853aa326d3b42fd0a855af7b41bc | affected |
| Linux | Linux | 4.19.323 < 4.20 | affected |
| Linux | Linux | 5.4.285 < 5.5 | affected |
| Linux | Linux | 5.10.227 < 5.11 | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726
- https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd
- https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f
- https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583
- https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe
- https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.