CVE-2024-46738

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-46738
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46738.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-46738
Downstream
Related
Published
2024-09-18T07:12:00.131Z
Modified
2026-03-11T07:52:20.056892Z
Summary
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

VMCI: Fix use-after-free when removing resource in vmciresourceremove()

When removing a resource from vmciresourcetable in vmciresourceremove(), the search is performed using the resource handle by comparing context and resource fields.

It is possible though to create two resources with different types but same handle (same context and resource fields).

When trying to remove one of the resources, vmciresourceremove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmcidatagramdestroyhandle(). vmciresource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability.

BUG: KASAN: use-after-free in vmcihandleisequal include/linux/vmwvmcidefs.h:142 [inline] BUG: KASAN: use-after-free in vmciresourceremove+0x3a1/0x410 drivers/misc/vmwvmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x82/0xa9 lib/dumpstack.c:106 printaddress_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasanreport.cold+0x7f/0x132 mm/kasan/report.c:425 kasanreport+0x38/0x51 mm/kasan/report.c:442 vmcihandleisequal include/linux/vmwvmcidefs.h:142 [inline] vmciresourceremove+0x3a1/0x410 drivers/misc/vmwvmci/vmciresource.c:147 vmciqpbrokerdetach+0x89a/0x11b9 drivers/misc/vmwvmci/vmciqueuepair.c:2182 ctxfreectx+0x473/0xbe1 drivers/misc/vmwvmci/vmcicontext.c:444 krefput include/linux/kref.h:65 [inline] vmcictxput drivers/misc/vmwvmci/vmcicontext.c:497 [inline] vmcictxdestroy+0x170/0x1d6 drivers/misc/vmwvmci/vmcicontext.c:195 vmcihostclose+0x125/0x1ac drivers/misc/vmwvmci/vmcihost.c:143 __fput+0x261/0xa34 fs/filetable.c:282 taskworkrun+0xf0/0x194 kernel/taskwork.c:164 tracehooknotifyresume include/linux/tracehook.h:189 [inline] exittousermodeloop+0x184/0x189 kernel/entry/common.c:187 exittousermodeprepare+0x11b/0x123 kernel/entry/common.c:220 _syscallexittousermodework kernel/entry/common.c:302 [inline] syscallexittousermode+0x18/0x42 kernel/entry/common.c:313 dosyscall64+0x41/0x85 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x6e/0x0

This change ensures the type is also checked when removing the resource from vmciresourcetable in vmciresourceremove().

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46738.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc63dedb7d46a7d690c6b6edf69136b88af06cc6
Fixed
f6365931bf7c07b2b397dbb06a4f6573cc9fae73
Fixed
b243d52b5f6f59f9d39e69b191fb3d58b94a43b1
Fixed
6c563a29857aa8053b67ee141191f69757f27f6e
Fixed
ef5f4d0c5ee22d4f873116fec844ff6edaf3fa7d
Fixed
b9efdf333174468651be40390cbc79c9f55d9cce
Fixed
39e7e593418ccdbd151f2925fa6be1a616d16c96
Fixed
00fe5292f081f8d773e572df8e03bf6e1855fe49
Fixed
48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46738.json"