CVE-2024-46847

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-46847

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

I

n the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.

References
Link Resource
https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd Patch
https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255 Patch
https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*
History

02 Oct 2024, 14:16

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd - () https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd - Patch
References () https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255 - () https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255 - Patch
References () https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671 - () https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671 - Patch
CWE CWE-129
CPE cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

30 Sep 2024, 12:45

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: vmalloc: garantizar que vmap_block se inicialice antes de agregarlo a la cola. El commit 8c61291fd850 ("mm: corregir referencia vbq incorrecta en purge_fragmented_block") extendió la estructura 'vmap_block' para que contenga un campo 'cpu' que se establece en el momento de la asignación en el id de la CPU que se inicializa. Cuando se crea una instancia de 'vmap_block' mediante new_vmap_block(), la estructura parcialmente inicializada se agrega a la matriz x local 'vmap_block_queue' antes de que se haya inicializado el campo 'cpu'. Si otra CPU está recorriendo simultáneamente la matriz x (por ejemplo, a través de vm_unmap_aliases()), puede realizar un acceso fuera de los límites a la cola remota gracias a un índice no inicializado. Esto se ha observado como errores UBSAN en Android: | Error interno: UBSAN: índice de matriz fuera de los límites: 00000000f2005512 [#1] PREEMPT SMP | | Rastreo de llamadas: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Mueva la inicialización de 'vb->cpu' en new_vmap_block() antes de la adición a la matriz x.

27 Sep 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-27 13:15

Updated : 2024-10-02 14:16

NVD link : CVE-2024-46847

Mitre link : CVE-2024-46847

CVE.ORG link : CVE-2024-46847

JSON object : View

Products Affected

linux

CWE
CWE-129

Improper Validation of Array Index