In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: acct: realizar la última escritura desde workqueue En [1] se informó que la llamada al sistema acct(2) se puede usar para activar una desreferencia NULL en los casos en que está configurada para escribir en un archivo que activa una búsqueda interna. Esto puede ocurrir, por ejemplo, al apuntar acc(2) a /sys/power/resume. En el punto donde ocurre la escritura en este archivo, la tarea que realiza la llamada ya ha salido y ha llamado a exit_fs(). Por lo tanto, una búsqueda activará una desreferencia NULL al acceder a current->fs. Reorganice el código para que la escritura final ocurra desde workqueue pero con las credenciales del llamador. Esto preserva el (extraño) modelo de permisos y casi no tiene riesgo de regresión. Sin embargo, esta API debería dejar de existir.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-476
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-476
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc2a4800> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc2a4b80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b70376a80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b70376f40> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702bfc2a6940> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702bfc2a7b40> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702bfc1311c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* |