CVE-2024-35902

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35902
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35902.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35902
Downstream
Related
Published
2024-05-19T09:15:11Z
Modified
2025-08-09T19:01:27Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix possible cp null dereference

cp might be null, calling cp->cp_conn would produce null dereference

[Simon Horman adds:]

Analysis:

  • cp is a parameter of _rdsrdma_map and is not reassigned.

  • The following call-sites pass a NULL cp argument to _rdsrdma_map()

    • rdsgetmr()
    • rdsgetmrfordest

  • Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary)

    transprivate = rs->rstransport->getmr( sg, nents, rs, &mr->rkey, cp ? cp->cpconn : NULL, args->vec.addr, args->vec.bytes, needodp ? ODPZEROBASED : ODPNOT_NEEDED);

  • The code modified by this patch is guarded by ISERR(transprivate), where trans_private is assigned as per the previous point in this analysis.

    The only implementation of getmr that I could locate is rdsibgetmr() which can return an ERR_PTR if the conn (4th) argument is NULL.

  • ret is set to PTRERR(transprivate). rdsibgetmr can return ERRPTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute.

Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug

References

Affected packages