Bug 2225569 (CVE-2024-1312)

Summary:	CVE-2024-1312 kernel: Race condition leads to use after free during VMA lock in lock_vma_under_rcu
Product:	[Other] Security Response	Reporter:	Pedro Sampaio <psampaio>
Component:	vulnerability	Assignee:	Nobody <nobody>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	acaringi, ajmitchell, allarkin, anprice, aquini, bhu, chwhite, crwood, cye, cyin, dbohanno, ddepaula, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, llong, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, qzhao, rogbas, rparrazo, rrobaina, rvrbovsk, scweaver, security-response-team, sukulkar, tglozar, vkumar, walters, wcosta, williams, wmealing, ycote, ykopkova, ymankad, zhijwang
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kernel 6.5-rc4	Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel's Memory Management subsystem when a user wins two races at the same time with a fail in the mas_prev_slot function. This issue could allow a local user to crash the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2225582, 2225583, 2230004, 2230005, 2230006, 2230007, 2230008, 2230009, 2263204
Bug Blocks:	2225571

Description Pedro Sampaio 2023-07-25 13:59:17 UTC

A race condition during lock_vma_under_rcu() may lead to a use after free issue.

Comment 9 Alex 2024-02-07 14:51:56 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2263204]

Comment 10 Justin M. Forbes 2024-02-07 22:10:23 UTC

This was fixed for Fedora with the 6.4.10 stable kernel updates