CVE-2024-36892

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36892
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36892.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36892
Downstream
Published
2024-05-30T16:15:12Z
Modified
2024-11-21T09:22:44Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/slub: avoid zeroing outside-object freepointer for single free

Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slabfree() and slabfreebulk() which leads slabfree() to call slabfreehook() directly instead of slabfreefreelist_hook().

If init_on_free is set, slabfreehook() zeroes the object. Afterward, if slub_debug=F and CONFIG_SLAB_FREELIST_HARDENED are set, the doslabfree() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object().

During bulk free, slabfreefreelisthook() isn't affected as it always sets it objects freepointer using setfreepointer() to maintain its reconstructed freelist after init_on_free.

For single free, object's freepointer thus needs to be avoided when stored outside the object if init_on_free is set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow.

To reproduce, set slub_debug=FU init_on_free=1 log_level=7 on the command line of a kernel build with CONFIG_SLAB_FREELIST_HARDENED=y.

dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.11-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}