CVE-2024-26972
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
For error handling path in ubifs_symlink(), inode will be marked as
bad first, then iput() is invoked. If inode->i_link is initialized by
fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't
be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error
handling path, because make_bad_inode() has changed 'inode->i_mode' as
'S_IFREG'.
Following kmemleak is easy to be reproduced by injecting error in
ubifs_jnl_update() when doing symlink in encryption scenario:
unreferenced object 0xffff888103da3d98 (size 8):
comm "ln", pid 1692, jiffies 4294914701 (age 12.045s)
backtrace:
kmemdup+0x32/0x70
__fscrypt_encrypt_symlink+0xed/0x1c0
ubifs_symlink+0x210/0x300 [ubifs]
vfs_symlink+0x216/0x360
do_symlinkat+0x11a/0x190
do_syscall_64+0x3b/0xe0
There are two ways fixing it:
1. Remove make_bad_inode() in error handling path. We can do that
because ubifs_evict_inode() will do same processes for good
symlink inode and bad symlink inode, for inode->i_nlink checking
is before is_bad_inode().
2. Free inode->i_link before marking inode bad.
Method 2 is picked, it has less influence, personally, I think.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ubifs: ubifs_symlink: corrige la fuga de memleak de inodo->i_link en la ruta de error Para el manejo de errores en la ruta en ubifs_symlink(), el inodo se marcará como incorrecto primero y luego se invocará iput(). Si inode->i_link se inicializa mediante fscrypt_encrypt_symlink() en el escenario de cifrado, inode->i_link no será liberado por la cadena de llamadas ubifs_free_inode -> fscrypt_free_inode en la ruta de manejo de errores, porque make_bad_inode() ha cambiado 'inode->i_mode' como 'S_IFREG '. El siguiente kmemleak es fácil de reproducir inyectando un error en ubifs_jnl_update() al realizar un enlace simbólico en un escenario de cifrado: objeto sin referencia 0xffff888103da3d98 (tamaño 8): comm "ln", pid 1692, jiffies 4294914701 (edad 12.045 s) backtrace: kmemdup+0x32/ 0x70 __fscrypt_encrypt_symlink+0xed/0x1c0 ubifs_symlink+0x210/0x300 [ubifs] vfs_symlink+0x216/0x360 do_symlinkat+0x11a/0x190 do_syscall_64+0x3b/0xe0 Hay dos formas de solucionarlo: 1. Eliminar make_bad _inode() en la ruta de manejo de errores. Podemos hacer eso porque ubifs_evict_inode() realizará los mismos procesos para el inodo de enlace simbólico bueno y el inodo de enlace simbólico incorrecto, para inodo->i_nlink la verificación es antes de is_bad_inode(). 2. Libere inodo->i_link antes de marcar el inodo como incorrecto. Se elige el método 2, creo que tiene menos influencia, personalmente.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-05-01 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/2c58d548f5706d085c4b009f6abb945220460632 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae | 2024-04-03 | |
https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa | 2024-02-25 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.2 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 6.8.3" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.2 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 6.9" | en |
Affected
|