In the Linux kernel, the following vulnerability has been resolved:
fuse: Initialize beyond-EOF page contents before setting uptodate
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
References
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2024-09-02 18:15
Updated : 2024-11-23 23:15
NVD link : CVE-2024-44947
Mitre link : CVE-2024-44947
CVE.ORG link : CVE-2024-44947
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-665
Improper Initialization