In the Linux kernel, the following vulnerability has been resolved:
mm/damon/stat: deallocate damon_call() failure leaking damon_ctx
damon_stat_start() always allocates the module's damon_ctx object
(damon_stat_context). Meanwhile, if damon_call() in the function fails,
the damon_ctx object is not deallocated. Hence, if the damon_call() is
failed, and the user writes Y to “enabled” again, the previously
allocated damon_ctx object is leaked.
This cannot simply be fixed by deallocating the damon_ctx object when
damon_call() fails. That's because damon_call() failure doesn't guarantee
the kdamond main function, which accesses the damon_ctx object, is
completely finished. In other words, if damon_stat_start() deallocates
the damon_ctx object after damon_call() failure, the not-yet-terminated
kdamond could access the freed memory (use-after-free).
Fix the leak while avoiding the use-after-free by keeping returning
damon_stat_start() without deallocating the damon_ctx object after
damon_call() failure, but deallocating it when the function is invoked
again and the kdamond is completely terminated. If the kdamond is not yet
terminated, simply return -EAGAIN, as the kdamond will soon be terminated.
The issue was discovered [1] by sashiko.
A memory leak vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem where the damon_ctx object fails to deallocate properly when damon_call() fails during initialization. Repeated enable/disable cycles can exhaust system memory. While CVSS 7.8 indicates high severity, the vulnerability requires local access and specific conditions to trigger, making it a moderate risk for most Saudi organizations running standard Linux deployments.
Immediate Actions:
1. Identify systems running affected Linux kernel versions (6.17, 7.0-rc1 through rc7) using 'uname -r'
2. Restrict local access to DAMON sysfs interfaces (/sys/kernel/debug/damon/) via file permissions
3. Monitor memory usage patterns for unexplained growth
Patching Guidance:
1. Apply kernel security updates from your distribution (RHEL, Ubuntu, Debian) when available
2. For RHEL: 'yum update kernel' and reboot
3. For Ubuntu/Debian: 'apt update && apt upgrade linux-image-*' and reboot
4. Verify patch application with 'uname -r' confirming version > 7.0-rc7
Compensating Controls (if immediate patching unavailable):
1. Disable DAMON module: 'echo blacklist damon > /etc/modprobe.d/damon-blacklist.conf'
2. Restrict sysfs access: 'chmod 700 /sys/kernel/debug/damon/'
3. Implement cgroup memory limits for untrusted processes
4. Monitor /proc/meminfo for MemAvailable decreases
Detection Rules:
1. Monitor for repeated writes to /sys/kernel/debug/damon/*/enabled
2. Alert on memory growth without corresponding process allocation
3. Track damon_stat module load/unload cycles
4. Log access attempts to DAMON sysfs interfaces
الإجراءات الفورية:
1. تحديد الأنظمة التي تشغل إصدارات نواة Linux المتأثرة (6.17، 7.0-rc1 إلى rc7) باستخدام 'uname -r'
2. تقييد الوصول المحلي إلى واجهات DAMON sysfs (/sys/kernel/debug/damon/) عبر أذونات الملفات
3. مراقبة أنماط استخدام الذاكرة للنمو غير المبرر
إرشادات التصحيح:
1. تطبيق تحديثات أمان النواة من توزيعتك (RHEL، Ubuntu، Debian) عند توفرها
2. لـ RHEL: 'yum update kernel' وإعادة التشغيل
3. لـ Ubuntu/Debian: 'apt update && apt upgrade linux-image-*' وإعادة التشغيل
4. التحقق من تطبيق التصحيح بـ 'uname -r' مع تأكيد الإصدار > 7.0-rc7
الضوابط البديلة (إذا كان التصحيح الفوري غير متاح):
1. تعطيل وحدة DAMON: 'echo blacklist damon > /etc/modprobe.d/damon-blacklist.conf'
2. تقييد وصول sysfs: 'chmod 700 /sys/kernel/debug/damon/'
3. تطبيق حدود ذاكرة cgroup للعمليات غير الموثوقة
4. مراقبة /proc/meminfo لانخفاضات MemAvailable
قواعد الكشف:
1. مراقبة الكتابات المتكررة إلى /sys/kernel/debug/damon/*/enabled
2. تنبيه نمو الذاكرة بدون تخصيص عملية مقابل
3. تتبع دورات تحميل/تفريغ وحدة damon_stat
4. تسجيل محاولات الوصول إلى واجهات DAMON sysfs