CVE-2024-53143
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-53143
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53143.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-53143
- Downstream
- Related
- Published
- 2024-12-07T06:40:43Z
- Modified
- 2025-10-22T05:42:49.872525Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- fsnotify: Fix ordering of iput() and watched_objects decrement
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: Fix ordering of iput() and watched_objects decrement
Ensure the superblock is kept alive until we're done with iput(). Holding a reference to an inode is not allowed unless we ensure the superblock stays alive, which fsnotify does by keeping the watchedobjects count elevated, so iput() must happen before the watchedobjects decrement. This can lead to a UAF of something like sb->sfsinfo in tmpfs, but the UAF is hard to hit because race orderings that oops are more likely, thanks to the CHECKDATACORRUPTION() block in genericshutdownsuper().
Also, ensure that fsnotifyputsbwatchedobjects() doesn't call fsnotifysbwatchedobjects() on a superblock that may have already been freed, which would cause a UAF read of sb->sfsnotify_info.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/21d1b618b6b9da46c5116c640ac4b1cc8d40d63a
- https://git.kernel.org/stable/c/45a8f8232a495221ed058191629f5c628f21601a
- https://git.kernel.org/stable/c/83af1cfa10d9aafdabd06b3655e07727f373b434
- https://project-zero.issues.chromium.org/issues/379667898
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2f277e26f521ccf6fb438463b41dba6123caabeFixed45a8f8232a495221ed058191629f5c628f21601a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2f277e26f521ccf6fb438463b41dba6123caabeFixed83af1cfa10d9aafdabd06b3655e07727f373b434
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd2f277e26f521ccf6fb438463b41dba6123caabeFixed21d1b618b6b9da46c5116c640ac4b1cc8d40d63a
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.10
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.9
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@45a8f8232a495221ed058191629f5c628f21601a",
"target": {
"function": "fsnotify_put_sb_watched_objects",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "174598295389674913532828478270576848413",
"length": 116.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-0a5c095d"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83af1cfa10d9aafdabd06b3655e07727f373b434",
"target": {
"function": "fsnotify_put_sb_watched_objects",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "174598295389674913532828478270576848413",
"length": 116.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-7f01465b"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@45a8f8232a495221ed058191629f5c628f21601a",
"target": {
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"13328825502250452325396928658836575566",
"142652795773735533533935967255545137907",
"218331105146771984585729540624657486786",
"46072523466589800502131520645795589248",
"169222188680826174106262798378674430922",
"241090723494136979283868492573368131534",
"335795989769980389567871126335417993542",
"316359152267788956533660593697062424257",
"2148275731977655830382578992777079783",
"60817912243773195005629826407671600581"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2024-53143-8af930cb"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21d1b618b6b9da46c5116c640ac4b1cc8d40d63a",
"target": {
"function": "fsnotify_put_sb_watched_objects",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "174598295389674913532828478270576848413",
"length": 116.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-8bb3bf0e"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83af1cfa10d9aafdabd06b3655e07727f373b434",
"target": {
"function": "fsnotify_put_inode_ref",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "134855903384688428123761562421368498898",
"length": 93.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-ac8c956a"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21d1b618b6b9da46c5116c640ac4b1cc8d40d63a",
"target": {
"function": "fsnotify_put_inode_ref",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "134855903384688428123761562421368498898",
"length": 93.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-b41a9a4b"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@45a8f8232a495221ed058191629f5c628f21601a",
"target": {
"function": "fsnotify_put_inode_ref",
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "134855903384688428123761562421368498898",
"length": 93.0
},
"signature_type": "Function",
"id": "CVE-2024-53143-d611ee13"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@83af1cfa10d9aafdabd06b3655e07727f373b434",
"target": {
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"13328825502250452325396928658836575566",
"142652795773735533533935967255545137907",
"218331105146771984585729540624657486786",
"46072523466589800502131520645795589248",
"169222188680826174106262798378674430922",
"241090723494136979283868492573368131534",
"335795989769980389567871126335417993542",
"316359152267788956533660593697062424257",
"2148275731977655830382578992777079783",
"60817912243773195005629826407671600581"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2024-53143-fe8d66eb"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21d1b618b6b9da46c5116c640ac4b1cc8d40d63a",
"target": {
"file": "fs/notify/mark.c"
},
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"13328825502250452325396928658836575566",
"142652795773735533533935967255545137907",
"218331105146771984585729540624657486786",
"46072523466589800502131520645795589248",
"169222188680826174106262798378674430922",
"241090723494136979283868492573368131534",
"335795989769980389567871126335417993542",
"316359152267788956533660593697062424257",
"2148275731977655830382578992777079783",
"60817912243773195005629826407671600581"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2024-53143-ff6439c5"
}
]