CVE-2024-46847

In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*

History

02 Oct 2024, 14:16

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CWE CWE-129
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd - () https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd - Patch
References () https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255 - () https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255 - Patch
References () https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671 - () https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671 - Patch

30 Sep 2024, 12:45

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: vmalloc: garantizar que vmap_block se inicialice antes de agregarlo a la cola. El commit 8c61291fd850 ("mm: corregir referencia vbq incorrecta en purge_fragmented_block") extendió la estructura 'vmap_block' para que contenga un campo 'cpu' que se establece en el momento de la asignación en el id de la CPU que se inicializa. Cuando se crea una instancia de 'vmap_block' mediante new_vmap_block(), la estructura parcialmente inicializada se agrega a la matriz x local 'vmap_block_queue' antes de que se haya inicializado el campo 'cpu'. Si otra CPU está recorriendo simultáneamente la matriz x (por ejemplo, a través de vm_unmap_aliases()), puede realizar un acceso fuera de los límites a la cola remota gracias a un índice no inicializado. Esto se ha observado como errores UBSAN en Android: | Error interno: UBSAN: índice de matriz fuera de los límites: 00000000f2005512 [#1] PREEMPT SMP | | Rastreo de llamadas: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Mueva la inicialización de 'vb->cpu' en new_vmap_block() antes de la adición a la matriz x.

27 Sep 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-27 13:15

Updated : 2024-10-02 14:16


NVD link : CVE-2024-46847

Mitre link : CVE-2024-46847

CVE.ORG link : CVE-2024-46847


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-129

Improper Validation of Array Index