CVE-2024-54159: 
Linux Red Hat vulnerability analysis and mitigation

stalld through 1.19.7 contains a security vulnerability that allows local users to cause a denial of service (file overwrite) via a /tmp/rtthrottle symlink attack. The vulnerability was discovered during a routine review of the contained systemd service and was reported to upstream on September 9, 2024 (SUSE Blog).

The vulnerability exists in the throttlectl.sh script, which is called with root privileges as a pre and post script in stalld's systemd unit. The script uses a fixed /tmp path (/tmp/rtthrottle) to cache original values from /proc/sys/kernel/schedrtruntimeus and /proc/sys/kernel/schedrtperiodus. This implementation allows for both symlink attacks and file pre-creation attacks. The issue has been assigned a CVSS v3.1 Base Score of 4.1 MEDIUM (Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L) (NVD).

A local attacker could exploit this vulnerability to overwrite arbitrary files in the system, leading to a denial of service condition. Additionally, through file pre-creation attacks, an attacker can manipulate values that will be written to the pseudo files in /proc/sys/kernel/schedrt*, resulting in local denial of service or local integrity violations (SUSE Blog).

The suggested fix is to place the file into the /run/stalld directory, which is owned by root. This directory is already created via stalld's systemd unit. Additional hardening measures like implementing PrivateTmp=yes in the systemd unit could prevent future temporary file issues. The throttlectl script should also set the errexit shell option to exit upon unexpected errors (SUSE Blog).