| Message ID | 20240401141919.34578-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26622 | expand |
On 4/1/24 8:19 AM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > tomoyo: fix UAF write bug in tomoyo_write_control() > > Since tomoyo_write_control() updates head->write_buf when write() > of long lines is requested, we need to fetch head->write_buf after > head->io_sem is held. Otherwise, concurrent write() requests can > cause use-after-free-write and double-free problems. > > [Fix] > > Mantic: Clean cherry-pick > Jammy: M patch applied cleanly > Focal: M patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This affects those who use Tomoyo as a MAC, mandatory access control, > issues could occur when writting to the tomoyo interface. > > Tetsuo Handa (1): > tomoyo: fix UAF write bug in tomoyo_write_control() > > security/tomoyo/common.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 24/04/01 09:19AM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > tomoyo: fix UAF write bug in tomoyo_write_control() > > Since tomoyo_write_control() updates head->write_buf when write() > of long lines is requested, we need to fetch head->write_buf after > head->io_sem is held. Otherwise, concurrent write() requests can > cause use-after-free-write and double-free problems. > > [Fix] > > Mantic: Clean cherry-pick > Jammy: M patch applied cleanly > Focal: M patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This affects those who use Tomoyo as a MAC, mandatory access control, > issues could occur when writting to the tomoyo interface. > > Tetsuo Handa (1): > tomoyo: fix UAF write bug in tomoyo_write_control() > > security/tomoyo/common.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 01/04/2024 16:19, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > tomoyo: fix UAF write bug in tomoyo_write_control() > > Since tomoyo_write_control() updates head->write_buf when write() > of long lines is requested, we need to fetch head->write_buf after > head->io_sem is held. Otherwise, concurrent write() requests can > cause use-after-free-write and double-free problems. > > [Fix] > > Mantic: Clean cherry-pick > Jammy: M patch applied cleanly > Focal: M patch applied cleanly > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not going to be fixed by us > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This affects those who use Tomoyo as a MAC, mandatory access control, > issues could occur when writting to the tomoyo interface. > > Tetsuo Handa (1): > tomoyo: fix UAF write bug in tomoyo_write_control() > > security/tomoyo/common.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > Applied to mantic, jammy, focal master-next branches. Thanks!