Vulnerabilities > CVE-2024-49854 - Use After Free vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726
- https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd
- https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f
- https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583
- https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe
- https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf