CVE-2024-50210

In the Linux kernel, the following vulnerability has been resolved: posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() If get_clock_desc() succeeds, it calls fget() for the clockid's fd, and get the clk->rwsem read lock, so the error path should release the lock to make the lock balance and fput the clockid's fd to make the refcount balance and release the fd related resource. However the below commit left the error path locked behind resulting in unbalanced locking. Check timespec64_valid_strict() before get_clock_desc() to fix it, because the "ts" is not changed after that. [pabeni@redhat.com: fixed commit message typo]
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15.169:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1.114:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6.58:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*

History

19 Nov 2024, 16:26

Type Values Removed Values Added
CWE CWE-667
References () https://git.kernel.org/stable/c/1ba33b327c3f88a7baee598979d73ab5b44d41cc - () https://git.kernel.org/stable/c/1ba33b327c3f88a7baee598979d73ab5b44d41cc - Patch
References () https://git.kernel.org/stable/c/5f063bbf1ee6b01611c016b54e050a41506eb794 - () https://git.kernel.org/stable/c/5f063bbf1ee6b01611c016b54e050a41506eb794 - Patch
References () https://git.kernel.org/stable/c/6e62807c7fbb3c758d233018caf94dfea9c65dbd - () https://git.kernel.org/stable/c/6e62807c7fbb3c758d233018caf94dfea9c65dbd - Patch
References () https://git.kernel.org/stable/c/a8219446b95a859488feaade674d13f9efacfa32 - () https://git.kernel.org/stable/c/a8219446b95a859488feaade674d13f9efacfa32 - Patch
References () https://git.kernel.org/stable/c/b27330128eca25179637c1816d5a72d6cc408c66 - () https://git.kernel.org/stable/c/b27330128eca25179637c1816d5a72d6cc408c66 - Patch
References () https://git.kernel.org/stable/c/c7fcfdba35abc9f39b83080c2bce398dad13a943 - () https://git.kernel.org/stable/c/c7fcfdba35abc9f39b83080c2bce398dad13a943 - Patch
References () https://git.kernel.org/stable/c/d005400262ddaf1ca1666bbcd1acf42fe81d57ce - () https://git.kernel.org/stable/c/d005400262ddaf1ca1666bbcd1acf42fe81d57ce - Patch
References () https://git.kernel.org/stable/c/e56e0ec1b79f5a6272c6e78b36e9d593aa0449af - () https://git.kernel.org/stable/c/e56e0ec1b79f5a6272c6e78b36e9d593aa0449af - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1.114:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6.58:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15.169:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
First Time Linux linux Kernel
Linux

08 Nov 2024, 16:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/a8219446b95a859488feaade674d13f9efacfa32 -
  • () https://git.kernel.org/stable/c/c7fcfdba35abc9f39b83080c2bce398dad13a943 -
  • () https://git.kernel.org/stable/c/d005400262ddaf1ca1666bbcd1acf42fe81d57ce -
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: posix-clock: posix-clock: Corregir bloqueo desequilibrado en pc_clock_settime() Si get_clock_desc() tiene éxito, llama a fget() para el fd del clockid y obtiene el bloqueo de lectura clk->rwsem, por lo que la ruta de error debería liberar el bloqueo para equilibrar el bloqueo y fput el fd del clockid para equilibrar el refcount y liberar el recurso relacionado con el fd. Sin embargo, la siguiente confirmación dejó la ruta de error bloqueada, lo que resultó en un bloqueo desequilibrado. Verifique timespec64_valid_strict() antes de get_clock_desc() para corregirlo, porque el "ts" no se cambia después de eso. [pabeni@redhat.com: se corrigió un error tipográfico en el mensaje de confirmación]

08 Nov 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-08 06:15

Updated : 2024-11-19 16:26


NVD link : CVE-2024-50210

Mitre link : CVE-2024-50210

CVE.ORG link : CVE-2024-50210


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-667

Improper Locking