CVE-2024-36891

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36891
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36891.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36891
Downstream
Related
Published
2024-05-30T15:28:57.939Z
Modified
2025-11-20T04:32:09.749438Z
Summary
maple_tree: fix mas_empty_area_rev() null pointer dereference
Details

In the Linux kernel, the following vulnerability has been resolved:

mapletree: fix masemptyarearev() null pointer dereference

Currently the code calls masstart() followed by masdataend() if the maple state is MASTART, but masstart() may return with the maple state node == NULL. This will lead to a null pointer dereference when checking information in the NULL node, which is done in masdata_end().

Avoid setting the offset if there is no node by waiting until after the maple state is checked for an empty or single entry state.

A user could trigger the events to cause a kernel oops by unmapping all vmas to produce an empty maple tree, then mapping a vma that would cause the scenario described above.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54a611b605901c7d5d05b6b8f5d04a6ceb0962aa
Fixed
883e5d542bbdddbddeba60250cb482baf3ae2415
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54a611b605901c7d5d05b6b8f5d04a6ceb0962aa
Fixed
6c9c7c1e63b198a8b979ad963eb21410f10ccb00
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54a611b605901c7d5d05b6b8f5d04a6ceb0962aa
Fixed
f3956791cf526540addd3295e4c1e0f0442486cc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
54a611b605901c7d5d05b6b8f5d04a6ceb0962aa
Fixed
955a923d2809803980ff574270f81510112be9cf

Affected versions

v6.*

v6.0
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "273657719220588998642962631814989765435",
                "100160811872133981483230212698259474931",
                "93592813954597503289060207663517979194",
                "338694248607874596637672412056540775725",
                "36929883770478812151216724901747280228",
                "109262418878716252966188566606850140604",
                "178861306349008299937976079432796255732",
                "39921302934760247510087618035480902522",
                "122983119014815386206968141522472116910",
                "28639459370468388165176763142375379435",
                "171911067463157831961085166916348394575",
                "43965439638375855558539352356614296693",
                "183291893579487218830145927680089583523"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c9c7c1e63b198a8b979ad963eb21410f10ccb00",
        "target": {
            "file": "lib/maple_tree.c"
        },
        "id": "CVE-2024-36891-05a5efba"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1011.0,
            "function_hash": "177467736461415130552618588268371141467"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c9c7c1e63b198a8b979ad963eb21410f10ccb00",
        "target": {
            "file": "lib/maple_tree.c",
            "function": "mas_empty_area_rev"
        },
        "id": "CVE-2024-36891-2b9c7921"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 948.0,
            "function_hash": "65589369470236308012469916604867037215"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@883e5d542bbdddbddeba60250cb482baf3ae2415",
        "target": {
            "file": "lib/maple_tree.c",
            "function": "mas_empty_area_rev"
        },
        "id": "CVE-2024-36891-7efd4837"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "142293270044951578330364355177963805130",
                "202795931791656237869138211610430742221",
                "93592813954597503289060207663517979194",
                "338694248607874596637672412056540775725",
                "36929883770478812151216724901747280228",
                "109262418878716252966188566606850140604",
                "178861306349008299937976079432796255732",
                "39921302934760247510087618035480902522",
                "122983119014815386206968141522472116910",
                "28639459370468388165176763142375379435",
                "171911067463157831961085166916348394575",
                "43965439638375855558539352356614296693",
                "183291893579487218830145927680089583523"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@883e5d542bbdddbddeba60250cb482baf3ae2415",
        "target": {
            "file": "lib/maple_tree.c"
        },
        "id": "CVE-2024-36891-9f70d979"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.94
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.31
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.10