Ubuntu.comUB:CVE-2024-36892CVE-2024-36892
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: avoid zeroing outside-object freepointer for single free Commit
284f17ac13fe (“mm/slub: handle bulk and single object freeing separately”)
splits single and bulk object freeing in two functions slab_free() and
slab_free_bulk() which leads slab_free() to call slab_free_hook() directly
instead of slab_free_freelist_hook(). If init_on_free is set,
slab_free_hook() zeroes the object. Afterward, if slub_debug=F and
CONFIG_SLAB_FREELIST_HARDENED are set, the do_slab_free() slowpath
executes freelist consistency checks and try to decode a zeroed freepointer
which leads to a “Freepointer corrupt” detection in check_object(). During
bulk free, slab_free_freelist_hook() isn’t affected as it always sets it
objects freepointer using set_freepointer() to maintain its reconstructed
freelist after init_on_free. For single free, object’s freepointer thus
needs to be avoided when stored outside the object if init_on_free is
set. The freepointer left as is, check_object() may later detect an invalid
pointer value due to objects overflow. To reproduce, set slub_debug=FU init_on_free=1 log_level=7 on the command line of a kernel build with
CONFIG_SLAB_FREELIST_HARDENED=y. dmesg sample log: [ 10.708715]
[ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [
10.712695]
[ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4
fp=0xffff9d9a80356f80
flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object
0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [
10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 … [ 10.720703] Object ffff9d9a80356600: 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 … [ 10.720703] Object
ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
… [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 … [ 10.724696] Padding
ffff9d9a8035667c: 00 00 00 00 … [ 10.724696] FIX kmalloc-rnd-05-32:
Object at 0xffff9d9a80356600 not freed
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-azure | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-gcp | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-gke | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-ibm | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-intel | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-lowlatency | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-nvidia | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-oem-6.8 | < any | UNKNOWN |
References
git.kernel.org/linus/8f828aa48812ced28aa39cb3cfe55ef2444d03dd (6.9)
git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb
git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd
launchpad.net/bugs/cve/CVE-2024-36892
nvd.nist.gov/vuln/detail/CVE-2024-36892
security-tracker.debian.org/tracker/CVE-2024-36892
www.cve.org/CVERecord?id=CVE-2024-36892
Related
