APPLIED: [SRU][N][PATCH 0/1] CVE-2024-46738

Stefan Bader stefan.bader at canonical.com
Fri Oct 11 12:44:40 UTC 2024 

On 08.10.24 10:00, Massimiliano Pellizzer wrote:
> [Impact]
> 
> VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
> 
> When removing a resource from vmci_resource_table in
> vmci_resource_remove(), the search is performed using the resource
> handle by comparing context and resource fields.
> 
> It is possible though to create two resources with different types
> but same handle (same context and resource fields).
> 
> When trying to remove one of the resources, vmci_resource_remove()
> may not remove the intended one, but the object will still be freed
> as in the case of the datagram type in vmci_datagram_destroy_handle().
> vmci_resource_table will still hold a pointer to this freed resource
> leading to a use-after-free vulnerability.
> 
> This change ensures the type is also checked when removing
> the resource from vmci_resource_table in vmci_resource_remove().
> 
> [Fix]
> 
> Noble:  Cherry picked from linux-6.10.y
> Jammy:  Fixed
> Focal:  Fixed
> Bionic: Sent to ESM ML
> Xenial: Sent to ESM ML
> 
> [Test Case]
> 
> Compile tested only.
> 
> [Where problems could occur]
> 
> The fix affects the VMWare VMCI subsystem. An issue with this fix may
> lead to incorrect resource management by the subsystem, causing system
> instability or crashes during usage of VMWare software. Moreover, users
> may notice failures in virtual machine communication or connection.
> 
> David Fernandez Gonzalez (1):
>    VMCI: Fix use-after-free when removing resource in
>      vmci_resource_remove()
> 
>   drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 

Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20241011/2c58ed4f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20241011/2c58ed4f/attachment-0001.sig>

More information about the kernel-team mailing list