5.5

CVE-2024-44947

fuse: Initialize beyond-EOF page contents before setting uptodate

In the Linux kernel, the following vulnerability has been resolved:

fuse: Initialize beyond-EOF page contents before setting uptodate

fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).

So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.

The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().

This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.36 < 4.19.321
LinuxLinux Kernel Version >= 4.20 < 5.4.283
LinuxLinux Kernel Version >= 5.5 < 5.10.225
LinuxLinux Kernel Version >= 5.11 < 5.15.166
LinuxLinux Kernel Version >= 5.16 < 6.1.107
LinuxLinux Kernel Version >= 6.2 < 6.6.48
LinuxLinux Kernel Version >= 6.7 < 6.10.7
LinuxLinux Kernel Version6.11 Updaterc1
LinuxLinux Kernel Version6.11 Updaterc2
LinuxLinux Kernel Version6.11 Updaterc3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.88% 0.543
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
Patch
https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
Patch
https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
Patch
https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
Patch
https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
Patch
https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
Patch
https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
Patch
https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
Patch
https://project-zero.issues.chromium.org/issues/42451729
https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html