| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122730-CVE-2024-56549-ebcd@gregkh> Date: Fri, 27 Dec 2024 15:11:40 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-56549: cachefiles: Fix NULL pointer dereference in object->file Description =========== In the Linux kernel, the following vulnerability has been resolved: cachefiles: Fix NULL pointer dereference in object->file At present, the object->file has the NULL pointer dereference problem in ondemand-mode. The root cause is that the allocated fd and object->file lifetime are inconsistent, and the user-space invocation to anon_fd uses object->file. Following is the process that triggers the issue: [write fd] [umount] cachefiles_ondemand_fd_write_iter fscache_cookie_state_machine cachefiles_withdraw_cookie if (!file) return -ENOBUFS cachefiles_clean_up_object cachefiles_unmark_inode_in_use fput(object->file) object->file = NULL // file NULL pointer dereference! __cachefiles_write(..., file, ...) Fix this issue by add an additional reference count to the object->file before write/llseek, and decrement after it finished. The Linux kernel CVE team has assigned CVE-2024-56549 to this issue. Affected and fixed versions =========================== Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.11.11 with commit f98770440c9bc468e2fd878212ec9526dbe08293 Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.12.2 with commit 9582c7664103c9043e80a78f5c382aa6bdd67418 Issue introduced in 5.19 with commit c8383054506c77b814489c09877b5db83fd4abf2 and fixed in 6.13-rc1 with commit 31ad74b20227ce6b40910ff78b1c604e42975cf1 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-56549 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/cachefiles/interface.c fs/cachefiles/ondemand.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f98770440c9bc468e2fd878212ec9526dbe08293 https://git.kernel.org/stable/c/9582c7664103c9043e80a78f5c382aa6bdd67418 https://git.kernel.org/stable/c/31ad74b20227ce6b40910ff78b1c604e42975cf1
Powered by blists - more mailing lists