CVE-2024-46738

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> VMCI: Fix use-after-free when removing resource in vmci_resource_remove()<br /> <br /> When removing a resource from vmci_resource_table in<br /> vmci_resource_remove(), the search is performed using the resource<br /> handle by comparing context and resource fields.<br /> <br /> It is possible though to create two resources with different types<br /> but same handle (same context and resource fields).<br /> <br /> When trying to remove one of the resources, vmci_resource_remove()<br /> may not remove the intended one, but the object will still be freed<br /> as in the case of the datagram type in vmci_datagram_destroy_handle().<br /> vmci_resource_table will still hold a pointer to this freed resource<br /> leading to a use-after-free vulnerability.<br /> <br /> BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]<br /> BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147<br /> Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106<br /> print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239<br /> __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425<br /> kasan_report+0x38/0x51 mm/kasan/report.c:442<br /> vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]<br /> vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147<br /> vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182<br /> ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444<br /> kref_put include/linux/kref.h:65 [inline]<br /> vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]<br /> vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195<br /> vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143<br /> __fput+0x261/0xa34 fs/file_table.c:282<br /> task_work_run+0xf0/0x194 kernel/task_work.c:164<br /> tracehook_notify_resume include/linux/tracehook.h:189 [inline]<br /> exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187<br /> exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]<br /> syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313<br /> do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x0<br /> <br /> This change ensures the type is also checked when removing<br /> the resource from vmci_resource_table in vmci_resource_remove().