CVE-2024-43898

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

10 Sep 2024, 08:15

Type	Values Removed	Values Added
Summary	(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ext4: verificación de integridad del puntero NULL después de ext4_force_shutdown Caso de prueba: 2 subprocesos escriben datos breves en línea en un archivo. En ext4_page_mkwrite se convierten los datos en línea resultantes. El manejo de ext4_grp_locked_error con la descripción "mapa de bits de bloque y descriptor de bg inconsistentes: clústeres libres X vs Y" llama a ext4_force_shutdown. La conversión borra EXT4_STATE_MAY_INLINE_DATA pero falla para ext4_destroy_inline_data_nolock y ext4_mark_iloc_dirty debido a ext4_forced_shutdown. La restauración de datos en línea falla por el mismo motivo al no configurar EXT4_STATE_MAY_INLINE_DATA. Sin el indicador establecido, una ruta de proceso normal en ext4_da_write_end sigue intentando eliminar la referencia al puntero privado de la página que no se ha configurado. La solución llama al retorno anticipado con el error -EIO y el puntero a privado será NULL. Informe de falla de muestra: No se puede manejar la solicitud de paginación del kernel en la dirección virtual dfff800000000004 KASAN: null-ptr-deref en el rango [0x000000000000020-0x00000000000000027] Información de cancelación de memoria: ESR = 0x0000000096000005 EC = 0x25: DABT (actual EL), IL = 32 bits CONJUNTO = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: error de traducción de nivel 1 Información de cancelación de datos: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 dirección [dfff800000000004] entre los rangos de direcciones del usuario y del kernel Error interno: Ups: 0000000096000005 [#1] Módulos SMP PREEMPT vinculados en: CPU: 1 PID: 20274 Comm: syz-executor185 No está contaminado 6.9.0-rc7-syzkaller-gfda5695d692c #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT - SSBS BTYPE=--) pc: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr: __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp: ffff8000a1957600 x29: ffff8000a1957610 x28: 00000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25 : dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 00000000000000020 x20: 0000000000000040 x19: ffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 00000000000000000 x 12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9: 0000000000000000 x8: 0000000000000004 x7: 0000000000000000 x6: 0000000000000000 x5: fffffdffc397c9c0 x4: 00000000000000020 x3: 0000000000000020 x2: 000 0000000000040 x1: 0000000000000020 x0: fffffdffc397c9c0 Rastreo de llamadas: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer .c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [en línea] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0 x4ecfs/ ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [en línea] new_sync_write fs/read_write.c:497 [en línea] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+ 0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [en línea] __se_sys_write fs/read_write.c:652 [en línea] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/ núcleo /syscall.c:34 [en línea] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/ kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/ arm64/kernel/entry.S:598 Código: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 00000000000000000 ]--------- TRUNCADO ----------
Summary	(en) In the Linux kernel, the following vulnerability has been resolved: ext4: sanity check for NULL pointer after ext4_force_shutdown Test case: 2 threads write short inline data to a file. In ext4_page_mkwrite the resulting inline data is converted. Handling ext4_grp_locked_error with description "block bitmap and bg descriptor inconsistent: X vs Y free clusters" calls ext4_force_shutdown. The conversion clears EXT4_STATE_MAY_INLINE_DATA but fails for ext4_destroy_inline_data_nolock and ext4_mark_iloc_dirty due to ext4_forced_shutdown. The restoration of inline data fails for the same reason not setting EXT4_STATE_MAY_INLINE_DATA. Without the flag set a regular process path in ext4_da_write_end follows trying to dereference page folio private pointer that has not been set. The fix calls early return with -EIO error shall the pointer to private be NULL. Sample crash report: Unable to handle kernel paging request at virtual address dfff800000000004 KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000004] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 20274 Comm: syz-executor185 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr : __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp : ffff8000a1957600 x29: ffff8000a1957610 x28: dfff800000000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25: dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 0000000000000020 x20: 0000000000000040 x19: fffffdffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000004 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffdffc397c9c0 x4 : 0000000000000020 x3 : 0000000000000020 x2 : 0000000000000040 x1 : 0000000000000020 x0 : fffffdffc397c9c0 Call trace: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer.c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [inline] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0x4ec fs/ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 97f85911 bl 0xffffffffffe16444 4: f94002da ldr x26, [x22] 8: 91008356 add x22, x26, #0x20 c: d343fec8 lsr x8, x22, #3 * 10: 38796908 ldrb w8, [x8, x25] <-- trapping instruction	(en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : unknown
CWE	~~CWE-476~~
References	~~{'url': 'https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~
CPE	cpe:2.3:o:linux:linux_kernel::::::::

05 Sep 2024, 18:31

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ext4: verificación de integridad del puntero NULL después de ext4_force_shutdown Caso de prueba: 2 subprocesos escriben datos breves en línea en un archivo. En ext4_page_mkwrite se convierten los datos en línea resultantes. El manejo de ext4_grp_locked_error con la descripción "mapa de bits de bloque y descriptor de bg inconsistentes: clústeres libres X vs Y" llama a ext4_force_shutdown. La conversión borra EXT4_STATE_MAY_INLINE_DATA pero falla para ext4_destroy_inline_data_nolock y ext4_mark_iloc_dirty debido a ext4_forced_shutdown. La restauración de datos en línea falla por el mismo motivo al no configurar EXT4_STATE_MAY_INLINE_DATA. Sin el indicador establecido, una ruta de proceso normal en ext4_da_write_end sigue intentando eliminar la referencia al puntero privado de la página que no se ha configurado. La solución llama al retorno anticipado con el error -EIO y el puntero a privado será NULL. Informe de falla de muestra: No se puede manejar la solicitud de paginación del kernel en la dirección virtual dfff800000000004 KASAN: null-ptr-deref en el rango [0x000000000000020-0x00000000000000027] Información de cancelación de memoria: ESR = 0x0000000096000005 EC = 0x25: DABT (actual EL), IL = 32 bits CONJUNTO = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: error de traducción de nivel 1 Información de cancelación de datos: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 dirección [dfff800000000004] entre los rangos de direcciones del usuario y del kernel Error interno: Ups: 0000000096000005 [#1] Módulos SMP PREEMPT vinculados en: CPU: 1 PID: 20274 Comm: syz-executor185 No está contaminado 6.9.0-rc7-syzkaller-gfda5695d692c #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT - SSBS BTYPE=--) pc: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 lr: __block_commit_write+0x3c/0x2b0 fs/buffer.c:2160 sp: ffff8000a1957600 x29: ffff8000a1957610 x28: 00000000 x27: ffff0000e30e34b0 x26: 0000000000000000 x25 : dfff800000000000 x24: dfff800000000000 x23: fffffdffc397c9e0 x22: 0000000000000020 x21: 00000000000000020 x20: 0000000000000040 x19: ffc397c9c0 x18: 1fffe000367bd196 x17: ffff80008eead000 x16: ffff80008ae89e3c x15: 00000000200000c0 x14: 1fffe0001cbe4e04 x13: 00000000000000000 x 12: 0000000000000000 x11: 0000000000000001 x10: 0000000000ff0100 x9: 0000000000000000 x8: 0000000000000004 x7: 0000000000000000 x6: 0000000000000000 x5: fffffdffc397c9c0 x4: 00000000000000020 x3: 0000000000000020 x2: 000 0000000000040 x1: 0000000000000020 x0: fffffdffc397c9c0 Rastreo de llamadas: __block_commit_write+0x64/0x2b0 fs/buffer.c:2167 block_write_end+0xb4/0x104 fs/buffer .c:2253 ext4_da_do_write_end fs/ext4/inode.c:2955 [en línea] ext4_da_write_end+0x2c4/0xa40 fs/ext4/inode.c:3028 generic_perform_write+0x394/0x588 mm/filemap.c:3985 ext4_buffered_write_iter+0x2c0/0 x4ecfs/ ext4/file.c:299 ext4_file_write_iter+0x188/0x1780 call_write_iter include/linux/fs.h:2110 [en línea] new_sync_write fs/read_write.c:497 [en línea] vfs_write+0x968/0xc3c fs/read_write.c:590 ksys_write+ 0x15c/0x26c fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [en línea] __se_sys_write fs/read_write.c:652 [en línea] __arm64_sys_write+0x7c/0x90 fs/read_write.c:652 __invoke_syscall arch/arm64/ núcleo /syscall.c:34 [en línea] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133 do_el0_svc+0x48/0x58 arch/arm64/ kernel/syscall.c:152 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/ arm64/kernel/entry.S:598 Código: 97f85911 f94002da 91008356 d343fec8 (38796908) ---[ end trace 00000000000000000 ]--------- TRUNCADO ----------
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e -~~	() https://git.kernel.org/stable/c/3f6bbe6e07e5239294ecc3d2efa70d1f98aed52e - Patch
References	~~() https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652 -~~	() https://git.kernel.org/stable/c/83f4414b8f84249d538905825b088ff3ae555652 - Patch
References	~~() https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901 -~~	() https://git.kernel.org/stable/c/f619876ccbfd329ae785fe5d3289b9dcd6eb5901 - Patch
CPE		cpe:2.3:o:linux:linux_kernel::::::::

26 Aug 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-26 11:15

Updated : 2024-09-10 08:15

NVD link : CVE-2024-43898

Mitre link : CVE-2024-43898

CVE.ORG link : CVE-2024-43898

JSON object : View

Products Affected

No product.

CWE

No CWE.