CVE-2024-46738

CVE Details

Release Date:

2024-09-18

Description

In the Linux kernel, the following vulnerability has been resolved:\nVMCI: Fix use-after-free when removing resource in vmci_resource_remove()\nWhen removing a resource from vmci_resource_table in\nvmci_resource_remove(), the search is performed using the resource\nhandle by comparing context and resource fields.\nIt is possible though to create two resources with different types\nbut same handle (same context and resource fields).\nWhen trying to remove one of the resources, vmci_resource_remove()\nmay not remove the intended one, but the object will still be freed\nas in the case of the datagram type in vmci_datagram_destroy_handle().\nvmci_resource_table will still hold a pointer to this freed resource\nleading to a use-after-free vulnerability.\nBUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]\nBUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147\nRead of size 4 at addr ffff88801c16d800 by task syz-executor197/1592\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239\n__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425\nkasan_report+0x38/0x51 mm/kasan/report.c:442\nvmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]\nvmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147\nvmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182\nctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444\nkref_put include/linux/kref.h:65 [inline]\nvmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]\nvmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195\nvmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143\n__fput+0x261/0xa34 fs/file_table.c:282\ntask_work_run+0xf0/0x194 kernel/task_work.c:164\ntracehook_notify_resume include/linux/tracehook.h:189 [inline]\nexit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187\nexit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220\n__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]\nsyscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313\ndo_syscall_64+0x41/0x85 arch/x86/entry/common.c:86\nentry_SYSCALL_64_after_hwframe+0x6e/0x0\nThis change ensures the type is also checked when removing\nthe resource from vmci_resource_table in vmci_resource_remove().

See more information about CVE-2024-46738 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12779	2024-10-11
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12780	2024-10-11
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12782	2024-10-14
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12780	2024-10-11
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12782	2024-10-14