CVE-2024-53143

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
07/12/2024
Last modified:
24/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsnotify: Fix ordering of iput() and watched_objects decrement<br /> <br /> Ensure the superblock is kept alive until we&amp;#39;re done with iput().<br /> Holding a reference to an inode is not allowed unless we ensure the<br /> superblock stays alive, which fsnotify does by keeping the<br /> watched_objects count elevated, so iput() must happen before the<br /> watched_objects decrement.<br /> This can lead to a UAF of something like sb-&gt;s_fs_info in tmpfs, but the<br /> UAF is hard to hit because race orderings that oops are more likely, thanks<br /> to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super().<br /> <br /> Also, ensure that fsnotify_put_sb_watched_objects() doesn&amp;#39;t call<br /> fsnotify_sb_watched_objects() on a superblock that may have already been<br /> freed, which would cause a UAF read of sb-&gt;s_fsnotify_info.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10 (including) 6.11.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.2 (excluding)