7.8 CVE-2024-47701

Patch

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.
https://nvd.nist.gov/vuln/detail/CVE-2024-47701

Categories

CWE-416 : Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. If the product accesses a previously-freed pointer, then it means that a separate weakness or error already occurred previously, such as a race condition, an unexpected or poorly handled error condition, confusion over which part of the program is responsible for freeing the memory, performing the free too soon, etc. a pointer that no longer points to valid memory, often after it has been freed commonly used acronym for Use After Free Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Choose a language that provides automatic memory management. When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416). Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416). Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. Use-after-free triggered by closing a connection while data is still being transmitted. Improper allocation for invalid data leads to use-after-free. certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free Timers are not disabled when a related object is deleted Access to a "dead" object that is being cleaned up object is deleted even with a non-zero reference count, and later accessed use-after-free involving request containing an invalid version number unload of an object that is currently being accessed by other functionality incorrectly tracking a reference count leads to use-after-free use-after-free related to use of uninitialized memory HTML document with incorrectly-nested tags Use after free in ActiveX object by providing a malformed argument to a method use-after-free by disconnecting during data transfer, or a message containing incorrect data types disconnect during a large data transfer causes incorrect reference count, leading to use-after-free use-after-free found by fuzzing Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free Use-after-free in web browser, probably resultant from not initializing memory. use-after-free when one thread accessed memory that was freed by another thread assignment of malformed values to certain properties triggers use after free mail server does not properly handle a long header. chain: integer overflow leads to use-after-free freed pointer dereference Chain: A multi-threaded race condition (CWE-367) allows attackers to cause two threads to process the same RPC request, which causes a use-after-free (CWE-416) in one thread

References

416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch

https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df Patch
https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a Patch
https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0
https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba Patch
https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20
https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29 Patch
https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796 Patch
https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5 Patch
https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477 Patch

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:linux:linux_kernel::::::::	>= 3.8	< 5.10.227
cpe:2.3:o:linux:linux_kernel::::::::	>= 5.11	< 5.15.168
cpe:2.3:o:linux:linux_kernel::::::::	>= 5.16	< 6.1.113
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.2	< 6.6.54
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.7	< 6.10.13
cpe:2.3:o:linux:linux_kernel::::::::	>= 6.11	< 6.11.2

REMEDIATION

Patch

Url
https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df
https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a
https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba
https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29
https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796
https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5
https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee