CVE-2024-35985

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35985
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35985.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35985
Downstream
Related
Published
2024-05-20T09:47:52Z
Modified
2025-10-15T10:47:56.537503Z
Summary
sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()
Details

In the Linux kernel, the following vulnerability has been resolved:

sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()

It was possible to have pickeevdf() return NULL, which then causes a NULL-deref. This turned out to be due to entityeligible() returning falsely negative because of a s64 multiplcation overflow.

Specifically, reweighteevdf() computes the vlag without considering the limit placed upon vlag as updateentitylag() does, and then the scaling multiplication (remember that weight is 20bit fixed point) can overflow. This then leads to the new vruntime being weird which then causes the above entityeligible() to go side-ways and claim nothing is eligible.

Thus limit the range of vlag accordingly.

All this was quite rare, but fatal when it does happen.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
14204acc09f652169baed1141c671429047b1313
Fixed
470d347b14b0ecffa9b39cf8f644fa2351db3efb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eab03c23c2a162085b13200d7942fc5a00b5ccc8
Fixed
06f27e6d7bf0abf54488259ef36bbf0e1fccb35c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eab03c23c2a162085b13200d7942fc5a00b5ccc8
Fixed
1560d1f6eb6b398bddd80c16676776c0325fe5fe

Affected versions

v6.*

v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "update_entity_lag"
            },
            "deprecated": false,
            "digest": {
                "length": 284.0,
                "function_hash": "137161341928621080215312796018396774197"
            },
            "id": "CVE-2024-35985-2f0bdf2f",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@470d347b14b0ecffa9b39cf8f644fa2351db3efb"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "reweight_eevdf"
            },
            "deprecated": false,
            "digest": {
                "length": 423.0,
                "function_hash": "126535244284863334091151257256922142669"
            },
            "id": "CVE-2024-35985-2f678e71",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06f27e6d7bf0abf54488259ef36bbf0e1fccb35c"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "kernel/sched/fair.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "188721901955677659138172785946986683466",
                    "15765242292469209364102901142180395997",
                    "102778785215283466025361209161821471022",
                    "277696010900116056652124685937091405132",
                    "54493766598714656002303939198564479970",
                    "284717969621335453707574011087970408173",
                    "100138236735493974549169968853872936816",
                    "71425191976539064060023171444592065771",
                    "124906073065385815331996459101012541156",
                    "246234329343675826484243328358909813",
                    "310232308609197756731421302370172780404",
                    "214395260244251293788303806757523825103",
                    "294693806728589290983607705763765543027",
                    "92921844541572979899291896558126614597"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-35985-3a67c365",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1560d1f6eb6b398bddd80c16676776c0325fe5fe"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "update_entity_lag"
            },
            "deprecated": false,
            "digest": {
                "length": 284.0,
                "function_hash": "137161341928621080215312796018396774197"
            },
            "id": "CVE-2024-35985-495691fc",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1560d1f6eb6b398bddd80c16676776c0325fe5fe"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "kernel/sched/fair.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "188721901955677659138172785946986683466",
                    "15765242292469209364102901142180395997",
                    "102778785215283466025361209161821471022",
                    "277696010900116056652124685937091405132",
                    "54493766598714656002303939198564479970",
                    "284717969621335453707574011087970408173",
                    "100138236735493974549169968853872936816",
                    "71425191976539064060023171444592065771",
                    "318380512463593822517018173055524107522",
                    "269433214551199411879334065340358904908",
                    "310232308609197756731421302370172780404",
                    "214395260244251293788303806757523825103",
                    "294693806728589290983607705763765543027",
                    "92921844541572979899291896558126614597"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-35985-4e2a37eb",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@470d347b14b0ecffa9b39cf8f644fa2351db3efb"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "update_entity_lag"
            },
            "deprecated": false,
            "digest": {
                "length": 284.0,
                "function_hash": "137161341928621080215312796018396774197"
            },
            "id": "CVE-2024-35985-7859771f",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06f27e6d7bf0abf54488259ef36bbf0e1fccb35c"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "reweight_eevdf"
            },
            "deprecated": false,
            "digest": {
                "length": 423.0,
                "function_hash": "126535244284863334091151257256922142669"
            },
            "id": "CVE-2024-35985-9ca51468",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@470d347b14b0ecffa9b39cf8f644fa2351db3efb"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "kernel/sched/fair.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "188721901955677659138172785946986683466",
                    "15765242292469209364102901142180395997",
                    "102778785215283466025361209161821471022",
                    "277696010900116056652124685937091405132",
                    "54493766598714656002303939198564479970",
                    "284717969621335453707574011087970408173",
                    "100138236735493974549169968853872936816",
                    "71425191976539064060023171444592065771",
                    "124906073065385815331996459101012541156",
                    "246234329343675826484243328358909813",
                    "310232308609197756731421302370172780404",
                    "214395260244251293788303806757523825103",
                    "294693806728589290983607705763765543027",
                    "92921844541572979899291896558126614597"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-35985-c4ff51d8",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@06f27e6d7bf0abf54488259ef36bbf0e1fccb35c"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "kernel/sched/fair.c",
                "function": "reweight_eevdf"
            },
            "deprecated": false,
            "digest": {
                "length": 423.0,
                "function_hash": "126535244284863334091151257256922142669"
            },
            "id": "CVE-2024-35985-e77e0167",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1560d1f6eb6b398bddd80c16676776c0325fe5fe"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.30
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.9