ACK: [SRU][N][PATCH 0/1] CVE-2024-46738
Guoqing Jiang
guoqing.jiang at canonical.com
Wed Oct 9 06:12:51 UTC 2024
Acked-by: Guoqing Jiang <guoqing.jiang at canonical.com>
On 10/8/24 16:00, Massimiliano Pellizzer wrote:
> [Impact]
>
> VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
>
> When removing a resource from vmci_resource_table in
> vmci_resource_remove(), the search is performed using the resource
> handle by comparing context and resource fields.
>
> It is possible though to create two resources with different types
> but same handle (same context and resource fields).
>
> When trying to remove one of the resources, vmci_resource_remove()
> may not remove the intended one, but the object will still be freed
> as in the case of the datagram type in vmci_datagram_destroy_handle().
> vmci_resource_table will still hold a pointer to this freed resource
> leading to a use-after-free vulnerability.
>
> This change ensures the type is also checked when removing
> the resource from vmci_resource_table in vmci_resource_remove().
>
> [Fix]
>
> Noble: Cherry picked from linux-6.10.y
> Jammy: Fixed
> Focal: Fixed
> Bionic: Sent to ESM ML
> Xenial: Sent to ESM ML
>
> [Test Case]
>
> Compile tested only.
>
> [Where problems could occur]
>
> The fix affects the VMWare VMCI subsystem. An issue with this fix may
> lead to incorrect resource management by the subsystem, causing system
> instability or crashes during usage of VMWare software. Moreover, users
> may notice failures in virtual machine communication or connection.
>
> David Fernandez Gonzalez (1):
> VMCI: Fix use-after-free when removing resource in
> vmci_resource_remove()
>
> drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
More information about the kernel-team
mailing list