Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:memcg: fix possible use-after-free in memcg_write_event_control()memcg_write_event_control() accesses the dentry->d_name of the specifiedcontrol fd to route the write call. As a cgroup interface file can't berenamed, it's safe to access d_name as long as the specified file is aregular cgroup file. Also, as these cgroup interface files can't beremoved before the directory, it's safe to access the parent too.Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was acall to __file_cft() which verified that the specified file is a regularcgroupfs file before further accesses. The cftype pointer returned from__file_cft() was no longer necessary and the commit inadvertently droppedthe file type check with it allowing any file to slip through. With theinvarients broken, the d_name and parent accesses can now race againstrenames and removals of arbitrary files and cause use-after-free's.Fix the bug by resurrecting the file type check in __file_cft(). Now thatcgroupfs is implemented through kernfs, checking the file operations needsto go through a layer of indirection. Instead, let's check the superblockand dentry type.
No PoCs from references.
- https://github.com/ARPSyndicate/cve-scores