CVE-2024-41049: filelock: fix potential use-after-free in posix_lock_inode
First published: Mon Jul 29 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | >=5.4.257<5.4.280 | |
| Linux Linux kernel | >=5.10.197<5.10.222 | |
| Linux Linux kernel | >=5.15.133<5.15.163 | |
| Linux Linux kernel | >=6.1.55<6.1.100 | |
| Linux Linux kernel | >=6.6<6.6.41 | |
| Linux Linux kernel | >=6.7<6.9.10 | |
| redhat/kernel | <5.4.280 | 5.4.280 |
| redhat/kernel | <5.10.222 | 5.10.222 |
| redhat/kernel | <5.15.163 | 5.15.163 |
| redhat/kernel | <6.1.100 | 6.1.100 |
| redhat/kernel | <6.6.41 | 6.6.41 |
| redhat/kernel | <6.9.10 | 6.9.10 |
| redhat/kernel | <6.10 | 6.10 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.7-1 6.11.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967
- https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2
- https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92
- https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197
- https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a
- https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0
- https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b
- https://launchpad.net/bugs/cve/CVE-2024-41049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41049
- https://nvd.nist.gov/vuln/detail/CVE-2024-41049
- https://security-tracker.debian.org/tracker/CVE-2024-41049
- https://ubuntu.com/security/CVE-2024-41049
- https://git.kernel.org/linus/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92
- https://lore.kernel.org/linux-cve-announce/2024072927-CVE-2024-41049-bf28@gregkh/T
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2301579
- https://access.redhat.com/errata/RHSA-2024:8614
- https://access.redhat.com/errata/RHSA-2024:8613
- https://access.redhat.com/errata/RHSA-2024:9315
- https://bugzilla.redhat.com/show_bug.cgi?id=2300422
- agent/title
- agent/type
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/first-publish-date
- agent/author
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-41049
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.4.257
- version/linux linux kernel/5.10.197
- version/linux linux kernel/5.15.133
- version/linux linux kernel/6.1.55
- version/linux linux kernel/6.6
- version/linux linux kernel/6.7
- package-manager/debian
- package-manager/redhat