Updated: 2024-11-04 14:02:46.388442
Description:
In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 7 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.0 | HIGH | Released | CLSA-2025:1738671431 | 2025-02-05 02:57:08 | |
AlmaLinux 9.2 FIPS | kernel | 5.14.0 | 7.0 | HIGH | Released | CLSA-2025:1738670922 | 2025-02-05 02:13:43 | |
CentOS 8.4 ELS | kernel | 4.18.0 | 7.0 | HIGH | Released | CLSA-2024:1731430561 | 2024-11-12 13:31:53 | |
CentOS 8.5 ELS | kernel | 4.18.0 | 7.0 | HIGH | In Testing | CLSA-2024:1731431059 | 2025-02-11 00:37:19 | |
CentOS Stream 8 ELS | kernel | 4.18.0 | 7.0 | HIGH | Already Fixed | 2025-02-19 06:50:31 | ||
Ubuntu 16.04 ELS | linux | 4.4.0 | 7.0 | HIGH | In Testing | CLSA-2024:1731605761 | 2025-02-01 23:55:37 | |
Ubuntu 16.04 ELS | linux-hwe | 4.15.0 | 7.0 | HIGH | Already Fixed | 2024-11-07 12:03:11 |