Описание
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
The mq_notify function in the GNU C Library (aka glibc) has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
Отчет
In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug:
- The program call to mq_notify needs to be controlled by the attacker
- The program must provide attributes to control creation of the notification thread in mq_notify
- The program must have the race condition where it may potentially destroy the notification thread attributes before the notification thread is created
- The program must set CPU affinity of the notification thread to actually cause the use-after-free dereference There are no known applications that have all these pre-requisites.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | compat-glibc | Out of support scope | ||
| Red Hat Enterprise Linux 6 | glibc | Out of support scope | ||
| Red Hat Enterprise Linux 7 | compat-glibc | Out of support scope | ||
| Red Hat Enterprise Linux 7 | glibc | Out of support scope | ||
| Red Hat Enterprise Linux 9 | glibc | Not affected | ||
| Red Hat Enterprise Linux 8 | glibc | Fixed | RHSA-2021:4358 | 09.11.2021 |
| Red Hat Enterprise Linux 8 | glibc | Fixed | RHSA-2021:4358 | 09.11.2021 |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 ...
5.9 Medium
CVSS3