CVE-2024-41012

high

Published 2024-11-12 · Modified 2024-09-24

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush().

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description kernel: filelock: Remove locks reliably when fcntl/close race is detected CVSS v3: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 8kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10RHSA-2024:70012024-09-24T00:00:00Z Red Hat Enterprise Linux 8kernel-0:4.18.0-553.22.1.el8_10RHSA-2024:70002024-09-24T00:00:00Z Red…

Description

kernel: filelock: Remove locks reliably when fcntl/close race is detected

CVSS v3: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10`	RHSA-2024:7001	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 8	`kernel-0:4.18.0-553.22.1.el8_10`	RHSA-2024:7000	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-503.11.1.el9_5`	RHSA-2024:9315	2024-11-12T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-503.11.1.el9_5`	RHSA-2024:9315	2024-11-12T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`kernel`	Out of support scope
Red Hat Enterprise Linux 7	`kernel`	Out of support scope
Red Hat Enterprise Linux 7	`kernel-rt`	Out of support scope
Red Hat Enterprise Linux 9	`kernel-rt`	Affected

Apply commands

bash fix

Apply RHSA-2024:7001 for Red Hat Enterprise Linux 8

yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rt

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

AlmaLinux Fixed 1 release

Version	Status	Fixed in
8	Fixed	`kernel-abi-stablelists-4.18.0-553.22.1.el8_10.noarch.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.9.9-1`
sid	Fixed	`6.9.9-1`
forky	Fixed	`6.9.9-1`
bullseye	Fixed	`5.10.223-1`
bookworm	Fixed	`6.1.106-1`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.