CVE-2024-49854 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

block bfq: fix uaf for accessing waker_bfqq after splitting

After commit 42c306ed7233 (lock bfq: don’t break merge chain in bfq_split_bfqq()) if the current procress is the last holder of bfqq the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What’s more the waker_bfqq may in the merge chain of bfqq hence just recored waker_bfqq is still not safe.

Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain and current procress is the only holder.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726 https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583 https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: