CVE-2024-46738

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46738
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46738.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46738
Related
Published
2024-09-18T08:15:03Z
Modified
2024-10-07T19:49:50.332814Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix use-after-free when removing resource in vmciresourceremove()

When removing a resource from vmciresourcetable in vmciresourceremove(), the search is performed using the resource handle by comparing context and resource fields.

It is possible though to create two resources with different types but same handle (same context and resource fields).

When trying to remove one of the resources, vmciresourceremove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmcidatagramdestroyhandle(). vmciresource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability.

BUG: KASAN: use-after-free in vmcihandleisequal include/linux/vmwvmcidefs.h:142 [inline] BUG: KASAN: use-after-free in vmciresourceremove+0x3a1/0x410 drivers/misc/vmwvmci/vmciresource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x82/0xa9 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x21/0x366 mm/kasan/report.c:239 _kasanreport.cold+0x7f/0x132 mm/kasan/report.c:425 kasanreport+0x38/0x51 mm/kasan/report.c:442 vmcihandleisequal include/linux/vmwvmcidefs.h:142 [inline] vmciresourceremove+0x3a1/0x410 drivers/misc/vmwvmci/vmciresource.c:147 vmciqpbrokerdetach+0x89a/0x11b9 drivers/misc/vmwvmci/vmciqueuepair.c:2182 ctxfreectx+0x473/0xbe1 drivers/misc/vmwvmci/vmcicontext.c:444 krefput include/linux/kref.h:65 [inline] vmcictxput drivers/misc/vmwvmci/vmcicontext.c:497 [inline] vmcictxdestroy+0x170/0x1d6 drivers/misc/vmwvmci/vmcicontext.c:195 vmcihostclose+0x125/0x1ac drivers/misc/vmwvmci/vmcihost.c:143 _fput+0x261/0xa34 fs/filetable.c:282 taskworkrun+0xf0/0x194 kernel/taskwork.c:164 tracehooknotifyresume include/linux/tracehook.h:189 [inline] exittousermodeloop+0x184/0x189 kernel/entry/common.c:187 exittousermodeprepare+0x11b/0x123 kernel/entry/common.c:220 _syscallexittousermodework kernel/entry/common.c:302 [inline] syscallexittousermode+0x18/0x42 kernel/entry/common.c:313 dosyscall64+0x41/0x85 arch/x86/entry/common.c:86 entrySYSCALL64after_hwframe+0x6e/0x0

This change ensures the type is also checked when removing the resource from vmciresourcetable in vmciresourceremove().

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.226-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2
5.10.216-1
5.10.218-1
5.10.221-1
5.10.223-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.112-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.11-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}