漏洞标题
filelock: 当检测到fcntl/close竞态时,可靠地移除锁
漏洞描述信息
在Linux内核中,已修复以下漏洞:
filelock:在检测到fcntl/close竞态时可靠地移除锁
当fcntl_setlk()与close()发生竞态时,它使用do_lock_file_wait()删除创建的锁。然而,底层安全模块(LSMs)可能会允许第一个创建锁的do_lock_file_wait()操作,同时拒绝尝试移除锁的第二个do_lock_file_wait()操作。另外,posix_lock_file()在分配失败时(在中间分割范围时)也可能会导致无法移除锁。
在漏洞被触发后,当用户空间读取/proc/locks时,会在lock_get_status()中发生使用后释放读取。这可能被用于读取任意的内核内存,但不会破坏内核内存。
通过调用locks_remove_posix()来修复这个问题,这个函数旨在可靠地处理与给定文件和files_struct关联的POSIX锁,并且也被filp_flush()使用。
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
漏洞类别
使用共享资源的并发执行不恰当同步问题(竞争条件)
漏洞标题
filelock: Remove locks reliably when fcntl/close race is detected
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
filelock: Remove locks reliably when fcntl/close race is detected
When fcntl_setlk() races with close(), it removes the created lock with
do_lock_file_wait().
However, LSMs can allow the first do_lock_file_wait() that created the lock
while denying the second do_lock_file_wait() that tries to remove the lock.
Separately, posix_lock_file() could also fail to
remove a lock due to GFP_KERNEL allocation failure (when splitting a range
in the middle).
After the bug has been triggered, use-after-free reads will occur in
lock_get_status() when userspace reads /proc/locks. This can likely be used
to read arbitrary kernel memory, but can't corrupt kernel memory.
Fix it by calling locks_remove_posix() instead, which is designed to
reliably get rid of POSIX locks associated with the given file and
files_struct and is also used by filp_flush().
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 filelock 模块中,当 fcntl_setlk 函数与 close 函数竞争时,会使用 do_lock_file_wait 函数移除创建的锁。
CVSS信息
N/A
漏洞类别
其他