CVE-2024-41012
filelock: Remove locks reliably when fcntl/close race is detected
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
filelock: Remove locks reliably when fcntl/close race is detected
When fcntl_setlk() races with close(), it removes the created lock with
do_lock_file_wait().
However, LSMs can allow the first do_lock_file_wait() that created the lock
while denying the second do_lock_file_wait() that tries to remove the lock.
Separately, posix_lock_file() could also fail to
remove a lock due to GFP_KERNEL allocation failure (when splitting a range
in the middle).
After the bug has been triggered, use-after-free reads will occur in
lock_get_status() when userspace reads /proc/locks. This can likely be used
to read arbitrary kernel memory, but can't corrupt kernel memory.
Fix it by calling locks_remove_posix() instead, which is designed to
reliably get rid of POSIX locks associated with the given file and
files_struct and is also used by filp_flush().
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: filelock: Elimina bloqueos de manera confiable cuando se detecta fcntl/close race Cuando fcntl_setlk() corre con close(), elimina el bloqueo creado con do_lock_file_wait(). Sin embargo, los LSM pueden permitir el primer do_lock_file_wait() que creó el bloqueo y al mismo tiempo negar el segundo do_lock_file_wait() que intenta eliminar el bloqueo. Por separado, posix_lock_file() también podría no eliminar un bloqueo debido a un fallo en la asignación de GFP_KERNEL (al dividir un rango por la mitad). Después de que se haya activado el error, se producirán lecturas de use-after-free en lock_get_status() cuando el espacio de usuario lea /proc/locks. Es probable que esto se pueda usar para leer memoria del kernel arbitraria, pero no puede dañar la memoria del kernel. Solucionelo llamando a locks_remove_posix() en su lugar, que está diseñado para deshacerse de manera confiable de los bloqueos POSIX asociados con el archivo dado y files_struct y también lo usa filp_flush().
An LSM can prevent the fcntl/close race cleanup path in fcntl_setlk() from working, leading to use-after-free read in lock_get_status() when reading /proc/locks.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-07-12 CVE Reserved
- 2024-07-23 CVE Published
- 2024-09-13 EPSS Updated
- 2024-11-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (11)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/c293621bbf678a3d85e3ed721c3921c8a670610d | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-41012 | 2024-09-24 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2299452 | 2024-09-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 4.19.319 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 4.19.319" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 5.4.281 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 5.4.281" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 5.10.223 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 5.10.223" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 5.15.164 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 5.15.164" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 6.1.101 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 6.1.101" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 6.6.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 6.6.42" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 6.9.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 6.9.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.13 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.13 < 6.10" | en |
Affected
|