In the Linux kernel, the following vulnerability has been resolved: ubifs:
ubifs_symlink: Fix memleak of inode->i_link in error path For error
handling path in ubifs_symlink(), inode will be marked as bad first, then
iput() is invoked. If inode->i_link is initialized by
fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won’t be
freed by callchain ubifs_free_inode -> fscrypt_free_inode in error handling
path, because make_bad_inode() has changed ‘inode->i_mode’ as ‘S_IFREG’.
Following kmemleak is easy to be reproduced by injecting error in
ubifs_jnl_update() when doing symlink in encryption scenario: unreferenced
object 0xffff888103da3d98 (size 8): comm “ln”, pid 1692, jiffies 4294914701
(age 12.045s) backtrace: kmemdup+0x32/0x70
__fscrypt_encrypt_symlink+0xed/0x1c0 ubifs_symlink+0x210/0x300 [ubifs]
vfs_symlink+0x216/0x360 do_symlinkat+0x11a/0x190 do_syscall_64+0x3b/0xe0
There are two ways fixing it: 1. Remove make_bad_inode() in error handling
path. We can do that because ubifs_evict_inode() will do same processes for
good symlink inode and bad symlink inode, for inode->i_nlink checking is
before is_bad_inode(). 2. Free inode->i_link before marking inode bad.
Method 2 is picked, it has less influence, personally, I think.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/6379b44cdcd67f5f5d986b73953e99700591edfa (6.9-rc1)
git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae
git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa
launchpad.net/bugs/cve/CVE-2024-26972
nvd.nist.gov/vuln/detail/CVE-2024-26972
security-tracker.debian.org/tracker/CVE-2024-26972
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
ubuntu.com/security/notices/USN-6878-1
www.cve.org/CVERecord?id=CVE-2024-26972