In the Linux kernel, the following vulnerability has been resolved:
ceph: prevent use-after-free in encodecapmsg()
In fs/ceph/caps.c, in encodecapmsg(), "use after free" error was caught by KASAN at this line - 'cephbufferget(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed.
In same file, in "handlecapgrant()" refcount is decremented by this line - 'cephbufferput(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it.
encodecapmsg() is called by _sendcap() and _sendcap() is called by cephcheckcaps() after calling _prepcap(). _prepcap() is where arg->xattrbuf is assigned to ci->ixattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error.
{ "vanir_signatures": [ { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae20db45e482303a20e56f2db667a9d9c54ac7e7", "deprecated": false, "id": "CVE-2024-26689-0973e8d4", "signature_type": "Function", "digest": { "length": 684.0, "function_hash": "38832955144698985046415050324201306885" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae20db45e482303a20e56f2db667a9d9c54ac7e7", "deprecated": false, "id": "CVE-2024-26689-15aba247", "signature_type": "Function", "digest": { "length": 2967.0, "function_hash": "217791991274308531506753705085796834151" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8180d0c27b93a6eb60da1b08ea079e3926328214", "deprecated": false, "id": "CVE-2024-26689-207a13f1", "signature_type": "Function", "digest": { "length": 676.0, "function_hash": "300998717688025842414891886565651659955" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e329b440762390258a6fe8c0de93c9fdd56c77", "deprecated": false, "id": "CVE-2024-26689-57d29870", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc", "deprecated": false, "id": "CVE-2024-26689-59d8581b", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3f98d7d84b31828004545e29fd7262b9f444139", "deprecated": false, "id": "CVE-2024-26689-5e329278", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3f98d7d84b31828004545e29fd7262b9f444139", "deprecated": false, "id": "CVE-2024-26689-614d28e6", "signature_type": "Function", "digest": { "length": 678.0, "function_hash": "332984057994621995728120381663342539146" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8180d0c27b93a6eb60da1b08ea079e3926328214", "deprecated": false, "id": "CVE-2024-26689-65cf24ec", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc", "deprecated": false, "id": "CVE-2024-26689-780b8dde", "signature_type": "Function", "digest": { "length": 735.0, "function_hash": "18351799565844566121933255021692517085" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cda4672da1c26835dcbd7aec2bfed954eda9b5ef", "deprecated": false, "id": "CVE-2024-26689-795188cd", "signature_type": "Function", "digest": { "length": 735.0, "function_hash": "18351799565844566121933255021692517085" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e329b440762390258a6fe8c0de93c9fdd56c77", "deprecated": false, "id": "CVE-2024-26689-92603741", "signature_type": "Function", "digest": { "length": 676.0, "function_hash": "300998717688025842414891886565651659955" }, "target": { "file": "fs/ceph/caps.c", "function": "__send_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e329b440762390258a6fe8c0de93c9fdd56c77", "deprecated": false, "id": "CVE-2024-26689-9af410a7", "signature_type": "Function", "digest": { "length": 2519.0, "function_hash": "100252752192262183698135606099311901572" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8180d0c27b93a6eb60da1b08ea079e3926328214", "deprecated": false, "id": "CVE-2024-26689-9d05e93d", "signature_type": "Function", "digest": { "length": 2516.0, "function_hash": "84383238211535446383142013805037855848" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cda4672da1c26835dcbd7aec2bfed954eda9b5ef", "deprecated": false, "id": "CVE-2024-26689-c17e4ba2", "signature_type": "Function", "digest": { "length": 3025.0, "function_hash": "127219163002864556629174415983834185438" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae20db45e482303a20e56f2db667a9d9c54ac7e7", "deprecated": false, "id": "CVE-2024-26689-d350f3cb", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3f98d7d84b31828004545e29fd7262b9f444139", "deprecated": false, "id": "CVE-2024-26689-e4465374", "signature_type": "Function", "digest": { "length": 2521.0, "function_hash": "54929545104095821711269474564631200728" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc", "deprecated": false, "id": "CVE-2024-26689-e5f30d9e", "signature_type": "Function", "digest": { "length": 3025.0, "function_hash": "127219163002864556629174415983834185438" }, "target": { "file": "fs/ceph/caps.c", "function": "__prep_cap" } }, { "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cda4672da1c26835dcbd7aec2bfed954eda9b5ef", "deprecated": false, "id": "CVE-2024-26689-ee1db903", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "125845171184104023297948580897757459448", "88593211521604431104965211041053555810", "330254950382300845380494726991328010603", "182977469925248548904924655115104730588", "102735806711103069856966347880812337562", "130558338084729479990851055019103018993", "82357746409475515838761876435232635918", "268611372433437284119369339534229010395" ] }, "target": { "file": "fs/ceph/caps.c" } } ] }