Bug 2324319 (CVE-2024-50165) - CVE-2024-50165 kernel: bpf: Preserve param->string when parsing mount options
Summary: CVE-2024-50165 kernel: bpf: Preserve param->string when parsing mount options
Keywords:
Status: NEW
Alias: CVE-2024-50165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2324398
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-07 10:01 UTC by OSIDB Bzimport
Modified: 2024-11-18 11:38 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-11-07 10:01:36 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bpf: Preserve param->string when parsing mount options

In bpf_parse_param(), keep the value of param->string intact so it can
be freed later. Otherwise, the kmalloc area pointed to by param->string
will be leaked as shown below:

unreferenced object 0xffff888118c46d20 (size 8):
  comm "new_name", pid 12109, jiffies 4295580214
  hex dump (first 8 bytes):
    61 6e 79 00 38 c9 5c 7e                          any.8.\~
  backtrace (crc e1b7f876):
    [<00000000c6848ac7>] kmemleak_alloc+0x4b/0x80
    [<00000000de9f7d00>] __kmalloc_node_track_caller_noprof+0x36e/0x4a0
    [<000000003e29b886>] memdup_user+0x32/0xa0
    [<0000000007248326>] strndup_user+0x46/0x60
    [<0000000035b3dd29>] __x64_sys_fsconfig+0x368/0x3d0
    [<0000000018657927>] x64_sys_call+0xff/0x9f0
    [<00000000c0cabc95>] do_syscall_64+0x3b/0xc0
    [<000000002f331597>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
Comment 1 Robb Gatica 2024-11-07 16:20:04 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024110748-CVE-2024-50165-5e80@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.