Описание
In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues.
Отчет
A logic error in ceph_update_snap_trace() may lead to a use-after-free condition when decoding snapshots, if first_realm and realm point to the same object and are released twice. This may result in kernel memory corruption or a crash via BUG_ON, and is potentially exploitable for privilege escalation or information disclosure. The vulnerability is exploitable by local users with access to a mounted CephFS and does not require elevated privileges or user interaction. The vulnerability can be triggered by a local, unprivileged user with access to a mounted CephFS. By interacting with metadata (e.g., through normal file system operations), a malformed snapshot trace from the MDS can result in a double-free condition. This opens the possibility of a use-after-free vulnerability, potentially allowing memory corruption, kernel panic, or even privilege escalation. Given the low privilege requirements and potential for kernel memory corruption, this issue should be considered Important. Fixed in Red Hat Enterprise Linux 8 starting from 8.4 and in all versions of the Red Hat Enterprise Linux 9 and later.
Меры по смягчению последствий
To mitigate this issue, prevent module ceph from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues.
In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues.
In the Linux kernel, the following vulnerability has been resolved: c ...
In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues.
EPSS
7.8 High
CVSS3