Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-46738— VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

EPSS 0.01% · P2
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-46738

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux bc63dedb7d46a7d690c6b6edf69136b88af06cc6 ~ f6365931bf7c07b2b397dbb06a4f6573cc9fae73 -
LinuxLinux 3.9 -

II. Public POCs for CVE-2024-46738

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-46738

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-09-18 · 85 CVEs total

CVE-2024-46770ice: Add netif_device_attach/detach into PF reset flow
CVE-2024-46781nilfs2: fix missing cleanup on rollforward recovery error
CVE-2024-46768hwmon: (hp-wmi-sensors) Check if WMI event data exists
CVE-2024-46769spi: intel: Add check devm_kasprintf() returned value
CVE-2024-46767net: phy: Fix missing of_node_put() for leds
CVE-2024-46765ice: protect XDP configuration with a mutex
CVE-2024-46763fou: Fix null-ptr-deref in GRO.
CVE-2024-46762xen: privcmd: Fix possible access to a freed kirqfd instance
CVE-2024-46761pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
CVE-2024-46764bpf: add check for invalid name in btf_name_valid_section()
CVE-2024-46771can: bcm: Remove proc entry when dev is unregistered.
CVE-2024-46772drm/amd/display: Check denominator crb_pipes before used
CVE-2024-46773drm/amd/display: Check denominator pbn_div before used
CVE-2024-46774powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
CVE-2024-46775drm/amd/display: Validate function returns
CVE-2024-46776drm/amd/display: Run DC_LOG_DC after checking link->link_enc
CVE-2024-46777udf: Avoid excessive partition lengths
CVE-2024-46778drm/amd/display: Check UnboundedRequestEnabled's value
CVE-2024-46779drm/imagination: Free pvr_vm_gpuva after unlink
CVE-2024-46780nilfs2: protect references to superblock parameters exposed in sysfs

Showing top 20 of 85 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-46738

No comments yet

Leave a comment