CVE-2024-39463

CVE Details

Release Date:

2024-06-25

Description

In the Linux kernel, the following vulnerability has been resolved:\n9p: add missing locking around taking dentry fid list\nFix a use-after-free on dentry's d_fsdata fid list when a thread\nlooks up a fid through dentry while another thread unlinks it:\nUAF thread:\nrefcount_t: addition on 0; use-after-free.\np9_fid_get linux/./include/net/9p/client.h:262\nv9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129\nv9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181\nv9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314\nv9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400\nvfs_statx+0xdd/0x4d0 linux/fs/stat.c:248\nFreed by:\np9_fid_destroy (inlined)\np9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456\np9_fid_put linux/./include/net/9p/client.h:278\nv9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55\nv9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518\nvfs_unlink+0x29a/0x810 linux/fs/namei.c:4335\nThe problem is that d_fsdata was not accessed under d_lock, because\nd_release() normally is only called once the dentry is otherwise no\nlonger accessible but since we also call it explicitly in v9fs_remove\nthat lock is required:\nmove the hlist out of the dentry under lock then unref its fids once\nthey are no longer accessible.

See more information about CVE-2024-39463 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	7.1
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	High
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18