Use After Free Affecting kernel-rt-debug-modules-core package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL9-KERNELRTDEBUGMODULESCORE-8256477
- published23 Oct 2024
- disclosed21 Oct 2024
Introduced: 21 Oct 2024
CVE-2024-49883 (opens in a new tab)How to fix?
There is no fixed version for RHEL:9 kernel-rt-debug-modules-core.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug-modules-core package and not the kernel-rt-debug-modules-core package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = NULL; path = kcalloc() = 3000 ppath = 3000; return path; / here path is still 2000, UAF! */ eh = path[depth].p_hdr
================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330 Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179 CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866 Call Trace: <TASK> ext4_ext_insert_extent+0x26d4/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 [...]
Allocated by task 179: ext4_find_extent+0x81c/0x1f70 ext4_ext_map_blocks+0x146/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...]
Freed by task 179: kfree+0xcb/0x240 ext4_find_extent+0x7c0/0x1f70 ext4_ext_insert_extent+0xa26/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...]
So use *ppath to update the path to avoid the above problem.
References
- https://access.redhat.com/security/cve/CVE-2024-49883
- https://git.kernel.org/stable/c/51db04892a993cace63415be99848970a0f15ef2
- https://git.kernel.org/stable/c/5e811066c5ab709b070659197dccfb80ab650ddd
- https://git.kernel.org/stable/c/8162ee5d94b8c0351be0a9321be134872a7654a1
- https://git.kernel.org/stable/c/9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a
- https://git.kernel.org/stable/c/a164f3a432aae62ca23d03e6d926b122ee5b860d
- https://git.kernel.org/stable/c/beb7b66fb489041c50c6473100b383f7a51648fc
- https://git.kernel.org/stable/c/bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b
- https://git.kernel.org/stable/c/975ca06f3fd154c5f7742083e7b2574c57d1c0c3
- https://git.kernel.org/stable/c/e17ebe4fdd7665c93ae9459ba40fcdfb76769ac1