Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2024-41070 | First vendor Publication | 2024-07-29 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |||
|---|---|---|---|
| Overall CVSS Score | 7.8 | ||
| Base Score | 7.8 | Environmental Score | 7.8 |
| impact SubScore | 5.9 | Temporal Score | 7.8 |
| Exploitabality Sub Score | 1.8 | ||
| Attack Vector | Local | Attack Complexity | Low |
| Privileges Required | Low | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | High | Availability Impact | High |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : | |||
|---|---|---|---|
| Cvss Base Score | N/A | Attack Range | N/A |
| Cvss Impact Score | N/A | Attack Complexity | N/A |
| Cvss Expoit Score | N/A | Authentication | N/A |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41070 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-416 | Use After Free |
CPE : Common Platform Enumeration
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2025-01-08 03:03:47 |
|
| 2025-01-07 03:03:20 |
|
| 2024-12-25 03:01:58 |
|
| 2024-12-12 03:04:55 |
|
| 2024-11-25 09:23:26 |
|
| 2024-11-22 21:22:40 |
|
| 2024-11-21 21:22:12 |
|
| 2024-11-20 02:58:33 |
|
| 2024-11-14 02:58:52 |
|
| 2024-11-09 02:58:52 |
|
| 2024-10-26 02:56:17 |
|
| 2024-10-25 02:58:11 |
|
| 2024-10-23 02:57:24 |
|
| 2024-10-03 02:52:44 |
|
| 2024-10-02 02:51:08 |
|
| 2024-09-15 02:48:53 |
|
| 2024-09-12 02:48:26 |
|
| 2024-09-07 02:47:25 |
|
| 2024-09-06 02:46:35 |
|
| 2024-09-04 02:49:48 |
|
| 2024-08-22 21:28:27 |
|
| 2024-07-29 21:27:27 |
|
