CVE-2024-36892

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-36892
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36892.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36892
Downstream
Published
2024-05-30T15:28:58.528Z
Modified
2025-11-20T04:15:07.540235Z
Summary
mm/slub: avoid zeroing outside-object freepointer for single free
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/slub: avoid zeroing outside-object freepointer for single free

Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slabfree() and slabfreebulk() which leads slabfree() to call slabfreehook() directly instead of slabfreefreelist_hook().

If init_on_free is set, slabfreehook() zeroes the object. Afterward, if slub_debug=F and CONFIG_SLAB_FREELIST_HARDENED are set, the doslabfree() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object().

During bulk free, slabfreefreelisthook() isn't affected as it always sets it objects freepointer using setfreepointer() to maintain its reconstructed freelist after init_on_free.

For single free, object's freepointer thus needs to be avoided when stored outside the object if init_on_free is set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow.

To reproduce, set slub_debug=FU init_on_free=1 log_level=7 on the command line of a kernel build with CONFIG_SLAB_FREELIST_HARDENED=y.

dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
284f17ac13fe34ae9eecbe57bb91553374d9b855
Fixed
56900355485f6e82114b18c812edd57fd7970dcb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
284f17ac13fe34ae9eecbe57bb91553374d9b855
Fixed
8f828aa48812ced28aa39cb3cfe55ef2444d03dd

Affected versions

v6.*

v6.7
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-36892-07cb4732",
        "target": {
            "file": "mm/slub.c",
            "function": "maybe_wipe_obj_freeptr"
        },
        "digest": {
            "function_hash": "209756254412049174249331292535691998780",
            "length": 212.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f828aa48812ced28aa39cb3cfe55ef2444d03dd",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-36892-50f0f971",
        "target": {
            "file": "mm/slub.c",
            "function": "maybe_wipe_obj_freeptr"
        },
        "digest": {
            "function_hash": "209756254412049174249331292535691998780",
            "length": 212.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56900355485f6e82114b18c812edd57fd7970dcb",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-36892-66d1c5a1",
        "target": {
            "file": "mm/slub.c",
            "function": "slab_free_hook"
        },
        "digest": {
            "function_hash": "121171920920831526195316199812794594814",
            "length": 804.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f828aa48812ced28aa39cb3cfe55ef2444d03dd",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-36892-68671037",
        "target": {
            "file": "mm/slub.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "144994528133680805735484018267847383883",
                "84963865746020790630963018933596400547",
                "6785167585007180605006395663855586138",
                "22807260497106062460613083123421527889",
                "223267703945502842112867300658221710887",
                "200092633898486109092277015399917936424",
                "44751258746386831989698963881105428567",
                "315725185377000213914308194229201145798",
                "59226026794120315933087516475108720161",
                "14414327599624988972905887290657976420",
                "299854381024110929791274205476725700517",
                "183264518804120921954307331301258643334",
                "320561762924892673628610322156337820263",
                "224550423773977532989111875395579389334",
                "57219379479465647962738361952652352274",
                "57226521353018134554622041526781374801",
                "181736110736221663421965695919683019633",
                "21419035542169999292555255341172027492",
                "91866781061426291888291743630120486294",
                "177036587802061098787358286416857801092",
                "65917383692100888098602500827858536606",
                "279998813330255365717794878776746793590",
                "23520247575686667102075034172923742126",
                "115098903465026251968631268017707336542",
                "226707034679600131013875838712785847685",
                "138409619320995835107557598514214196222",
                "273560482616990924058247996090153804258",
                "19794281002598051951907326301032127171",
                "71609301686830917042992319186978070672",
                "133483736596388920569382578376380544455",
                "182624366618637758587665585843559040407"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56900355485f6e82114b18c812edd57fd7970dcb",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-36892-aa8f7c5f",
        "target": {
            "file": "mm/slub.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "144994528133680805735484018267847383883",
                "84963865746020790630963018933596400547",
                "6785167585007180605006395663855586138",
                "22807260497106062460613083123421527889",
                "223267703945502842112867300658221710887",
                "200092633898486109092277015399917936424",
                "44751258746386831989698963881105428567",
                "315725185377000213914308194229201145798",
                "59226026794120315933087516475108720161",
                "14414327599624988972905887290657976420",
                "299854381024110929791274205476725700517",
                "183264518804120921954307331301258643334",
                "320561762924892673628610322156337820263",
                "224550423773977532989111875395579389334",
                "57219379479465647962738361952652352274",
                "57226521353018134554622041526781374801",
                "181736110736221663421965695919683019633",
                "21419035542169999292555255341172027492",
                "91866781061426291888291743630120486294",
                "177036587802061098787358286416857801092",
                "65917383692100888098602500827858536606",
                "279998813330255365717794878776746793590",
                "23520247575686667102075034172923742126",
                "115098903465026251968631268017707336542",
                "226707034679600131013875838712785847685",
                "138409619320995835107557598514214196222",
                "273560482616990924058247996090153804258",
                "19794281002598051951907326301032127171",
                "71609301686830917042992319186978070672",
                "133483736596388920569382578376380544455",
                "182624366618637758587665585843559040407"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f828aa48812ced28aa39cb3cfe55ef2444d03dd",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-36892-fd83fb39",
        "target": {
            "file": "mm/slub.c",
            "function": "slab_free_hook"
        },
        "digest": {
            "function_hash": "121171920920831526195316199812794594814",
            "length": 804.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56900355485f6e82114b18c812edd57fd7970dcb",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.8.10