Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue().
In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems:
-
the rbtree dequeue happens without waiter::task::pi_lock being held
-
the waiter task’s pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around.
-
rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task
Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- linux-hwe @ 4.15.0 (+15 more)
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue().
In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems:
-
the rbtree dequeue happens without waiter::task::pi_lock being held
-
the waiter task’s pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around.
-
rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task
Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]
Fixes
KernelCare state
Live-patch status from KernelCare for each operating system.
| Operating system | Status | Covered kernels |
|---|---|---|
| AlmaLinux 8 | In Rollout |
113 kernels
|
| AlmaLinux 9 | In Rollout |
113 kernels
|
| Amazon Linux 2023 | Planned | — |
| CentOS 8 | In Rollout |
21 kernels
|
| Debian 12 | Planned | — |
| Debian 13 | Released |
5 kernels
|
| Oracle Linux 7 UEK 6 | Planned | — |
| Oracle Linux 8 UEK 6 | Planned | — |
| Oracle Linux 8 UEK 7 | Planned | — |
| Oracle Linux 9 UEK 7 | Planned | — |
| RHEL 8 | In Rollout |
117 kernels
|
| RHEL 9 | In Rollout |
111 kernels
|
| Rocky Linux 8 | In Rollout |
94 kernels
|
| Rocky Linux 9 | In Rollout |
89 kernels
|
| Ubuntu 24.04 | In Rollout |
46 kernels
|