[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["mm/damon/stat.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"447f8870b484f6596d7a7130e72bd0a3f1e037bb","versionType":"git","status":"affected"},{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"16c92e9bf55fa049ddb5e894dc0623dacd46a620","versionType":"git","status":"affected"},{"version":"405f61996d9d2e9d497cd9f6b66f41dc28d3d1d8","lessThan":"4c04c6b47c361612b1d70cec8f7a60b1482d1400","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["mm/damon/stat.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","versionType":"semver","status":"unaffected"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416

OR
          *cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.13
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.17.1 up to (excluding) 6.18.23

kernel.org: https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620 Types: Patch

kernel.org: https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb Types: Patch

kernel.org: https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400 Types: Patch

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/stat: deallocate damon_call() failure leaking damon_ctx

damon_stat_start() always allocates the module's damon_ctx object
(damon_stat_context).  Meanwhile, if damon_call() in the function fails,
the damon_ctx object is not deallocated.  Hence, if the damon_call() is
failed, and the user writes Y to “enabled” again, the previously
allocated damon_ctx object is leaked.

This cannot simply be fixed by deallocating the damon_ctx object when
damon_call() fails.  That's because damon_call() failure doesn't guarantee
the kdamond main function, which accesses the damon_ctx object, is
completely finished.  In other words, if damon_stat_start() deallocates
the damon_ctx object after damon_call() failure, the not-yet-terminated
kdamond could access the freed memory (use-after-free).

Fix the leak while avoiding the use-after-free by keeping returning
damon_stat_start() without deallocating the damon_ctx object after
damon_call() failure, but deallocating it when the function is invoked
again and the kdamond is completely terminated.  If the kdamond is not yet
terminated, simply return -EAGAIN, as the kdamond will soon be terminated.

The issue was discovered [1] by sashiko.

https://git.kernel.org/stable/c/16c92e9bf55fa049ddb5e894dc0623dacd46a620

https://git.kernel.org/stable/c/447f8870b484f6596d7a7130e72bd0a3f1e037bb

https://git.kernel.org/stable/c/4c04c6b47c361612b1d70cec8f7a60b1482d1400