Headline
CVE-2022-21504: fs: move filp_close() outside of __close_fd_get_file() · oracle/linux-uek@49c68f5
The code in UEK6 U3 was missing an appropiate file descriptor count to be missing. This resulted in a use count error that allowed a file descriptor to a socket to be closed and freed while it was still in use by another portion of the kernel. An attack with local access can operate on the socket, and cause a denial of service. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Permalink
Browse files
fs: move filp_close() outside of __close_fd_get_file()
Just one caller of this, and just use filp_close() there manually. This is important to allow async close/removal of the fd.
Signed-off-by: Jens Axboe [email protected] (cherry picked from commit 6e802a4) Conflicts: drivers/android/binder.c: no real conflict but code base difference Orabug: 33413846 Signed-off-by: Prasad Singamsetty [email protected] Reviewed-by: Himanshu Madhani [email protected] Signed-off-by: Brian Maly [email protected]
- Loading branch information