CVE-2024-42318

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description The issue arises when a process' cred struct is replaced, typically invoking the cred prepare LSM hook, but in a special case where KEYCTL SESSION TO PARENT updates the parent's credentials, the cred transfer LSM hook is used instead. Since Landlock only implements the cred prepare hook and not the cred transfer hook, this results in the loss of all Landlock restrictions on the process. A process with the ability to use the fork() and keyctl() syscalls can exploit this to bypass Landlock restrictions. The fix involves adding a cred transfer hook that functions similarly to the existing cred prepare hook, implemented by having hook cred prepare() call hook cred transfer() to prevent accidental divergence.

Recommendations To resolve the issue, update to Linux kernel version 6.6.50 or later. As a temporary workaround, consider restricting the use of the fork() and keyctl() syscalls to minimize the risk of exploitation. Additionally, limiting access to the cred transfer hook until a patch is applied can help mitigate the issue.