ghsa-c77m-wh63-vhch
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
filelock: Remove locks reliably when fcntl/close race is detected
When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle).
After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory.
Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush().
{ "affected": [], "aliases": [ "CVE-2024-41012" ], "database_specific": { "cwe_ids": [ "CWE-416" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-07-23T08:15:01Z", "severity": "MODERATE" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Remove locks reliably when fcntl/close race is detected\n\nWhen fcntl_setlk() races with close(), it removes the created lock with\ndo_lock_file_wait().\nHowever, LSMs can allow the first do_lock_file_wait() that created the lock\nwhile denying the second do_lock_file_wait() that tries to remove the lock.\nSeparately, posix_lock_file() could also fail to\nremove a lock due to GFP_KERNEL allocation failure (when splitting a range\nin the middle).\n\nAfter the bug has been triggered, use-after-free reads will occur in\nlock_get_status() when userspace reads /proc/locks. This can likely be used\nto read arbitrary kernel memory, but can\u0027t corrupt kernel memory.\n\nFix it by calling locks_remove_posix() instead, which is designed to\nreliably get rid of POSIX locks associated with the given file and\nfiles_struct and is also used by filp_flush().", "id": "GHSA-c77m-wh63-vhch", "modified": "2024-09-12T15:32:58Z", "published": "2024-07-23T09:30:39Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41012" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/3cad1bc010416c6dd780643476bc59ed742436b9" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/52c87ab18c76c14d7209646ccb3283b3f5d87b22" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5661b9c7ec189406c2dde00837aaa4672efb6240" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5f5d0799eb0a01d550c21b7894e26b2d9db55763" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b6d223942c34057fdfd8f149e763fa823731b224" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d30ff33040834c3b9eee29740acd92f9c7ba2250" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/dc2ce1dfceaa0767211a9d963ddb029ab21c4235" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/ef8fc41cd6f95f9a4a3470f085aecf350569a0b3" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", "type": "CVSS_V3" } ] }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.