[SRU][N][PATCH 0/1] CVE-2024-46738
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Tue Oct 8 08:00:10 UTC 2024
[Impact]
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
[Fix]
Noble: Cherry picked from linux-6.10.y
Jammy: Fixed
Focal: Fixed
Bionic: Sent to ESM ML
Xenial: Sent to ESM ML
[Test Case]
Compile tested only.
[Where problems could occur]
The fix affects the VMWare VMCI subsystem. An issue with this fix may
lead to incorrect resource management by the subsystem, causing system
instability or crashes during usage of VMWare software. Moreover, users
may notice failures in virtual machine communication or connection.
David Fernandez Gonzalez (1):
VMCI: Fix use-after-free when removing resource in
vmci_resource_remove()
drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--
2.43.0
More information about the kernel-team
mailing list