In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring/eventfd: garantizar que io_eventfd_signal() posponga otro período de RCU io_eventfd_do_signal() se invoca desde una devolución de llamada de RCU, pero al eliminar la referencia a io_ev_fd, llama a io_eventfd_free() directamente si El recuento cae a cero. Esto no es correcto, ya que cualquier posible liberación de io_ev_fd debería posponerse otro período de gracia de RCU. Simplemente llame a io_eventfd_put() en lugar de abrir el código dec-and-test y free, lo que lo diferirá correctamente a otro período de gracia de RCU.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-416
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd1298c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b70376e40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc131a00> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702c047dd780> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bdd128ec0> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bcc9b3340> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bcc9b0dc0> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702b70375680> | Operating System |
| linux | linux_kernel | 6.13 | <built-in method update of dict object at 0x702bfc132e80> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:* |