First published: Mon Oct 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | >=3.14<4.14.302 | |
Linux Linux kernel | >=4.15<4.19.269 | |
Linux Linux kernel | >=4.20<5.4.227 | |
Linux Linux kernel | >=5.5<5.10.159 | |
Linux Linux kernel | >=5.11<5.15.83 | |
Linux Linux kernel | >=5.16<6.0.13 | |
Linux Linux kernel | =6.1-rc1 | |
Linux Linux kernel | =6.1-rc2 | |
Linux Linux kernel | =6.1-rc3 | |
Linux Linux kernel | =6.1-rc4 | |
Linux Linux kernel | =6.1-rc5 | |
Linux Linux kernel | =6.1-rc6 | |
Linux Linux kernel | =6.1-rc7 | |
Linux Linux kernel | =6.1-rc8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.