CVE-2024-44947 - FUSE Linux Kernel Uninitialized Information Leak

2 months ago 35
ARTICLE AD BOX
CVE ID : CVE-2024-44947
Published : Sept. 2, 2024, 6:15 p.m. | 24 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Read Entire Article