CVE-2024-46735

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46735
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46735.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46735
Downstream
Related
Published
2024-09-18T07:11:57.279Z
Modified
2025-11-20T06:24:10.629369Z
Summary
ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()
Details

In the Linux kernel, the following vulnerability has been resolved:

ublkdrv: fix NULL pointer dereference in ublkctrlstartrecovery()

When two UBLKCMDSTARTUSERRECOVERY commands are submitted, the first one sets 'ubq->ubqdaemon' to NULL, and the second one triggers WARN in ublkqueue_reinit() and subsequently a NULL pointer dereference issue.

Fix it by adding the check in ublkctrlstartrecovery() and return immediately in case of zero 'ub->nrqueues_ready'.

BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublkctrlstartrecovery.constprop.0+0x82/0x180 Call Trace: <TASK> ? _die+0x20/0x70 ? pagefaultoops+0x75/0x170 ? excpagefault+0x64/0x140 ? asmexcpagefault+0x22/0x30 ? ublkctrlstartrecovery.constprop.0+0x82/0x180 ublkctrluringcmd+0x4f7/0x6c0 ? picknexttaskidle+0x26/0x40 iouringcmd+0x9a/0x1b0 ioissuesqe+0x193/0x3f0 iowqsubmitwork+0x9b/0x390 ioworkerhandlework+0x165/0x360 iowqworker+0xcb/0x2f0 ? finishtaskswitch.isra.0+0x203/0x290 ? finishtaskswitch.isra.0+0x203/0x290 ? _pfxiowqworker+0x10/0x10 retfromfork+0x2d/0x50 ? _pfxiowqworker+0x10/0x10 retfromfork_asm+0x1a/0x30 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c732a852b419fa057b53657e2daaf9433940391c
Fixed
ca249435893dda766f3845c15ca77ca5672022d8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c732a852b419fa057b53657e2daaf9433940391c
Fixed
136a29d8112df4ea0a57f9602ddf3579e04089dc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c732a852b419fa057b53657e2daaf9433940391c
Fixed
7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c732a852b419fa057b53657e2daaf9433940391c
Fixed
e58f5142f88320a5b1449f96a146f2f24615c5c7

Affected versions

v6.*

v6.0
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_ctrl_start_recovery"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@136a29d8112df4ea0a57f9602ddf3579e04089dc",
        "digest": {
            "length": 750.0,
            "function_hash": "190790074810163811837393101043461937881"
        },
        "id": "CVE-2024-46735-1c2bde70"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_ctrl_start_recovery"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e58f5142f88320a5b1449f96a146f2f24615c5c7",
        "digest": {
            "length": 750.0,
            "function_hash": "190790074810163811837393101043461937881"
        },
        "id": "CVE-2024-46735-1ee281a3"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@136a29d8112df4ea0a57f9602ddf3579e04089dc",
        "digest": {
            "line_hashes": [
                "155309856004456791719896638024108816314",
                "22086877834730543830280858735737678631",
                "317973001511810599460926579669774934735",
                "115516234172244913931231464520469198552"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-46735-79584b49"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f",
        "digest": {
            "line_hashes": [
                "155309856004456791719896638024108816314",
                "22086877834730543830280858735737678631",
                "317973001511810599460926579669774934735",
                "115516234172244913931231464520469198552"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-46735-91e58768"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_ctrl_start_recovery"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca249435893dda766f3845c15ca77ca5672022d8",
        "digest": {
            "length": 745.0,
            "function_hash": "313714461054571074399668188099818154916"
        },
        "id": "CVE-2024-46735-9ce7f55d"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ca249435893dda766f3845c15ca77ca5672022d8",
        "digest": {
            "line_hashes": [
                "155309856004456791719896638024108816314",
                "22086877834730543830280858735737678631",
                "317973001511810599460926579669774934735",
                "115516234172244913931231464520469198552"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-46735-c346e028"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c",
            "function": "ublk_ctrl_start_recovery"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c890ef60bf417d3fe5c6f7a9f6cef0e1d77f74f",
        "digest": {
            "length": 750.0,
            "function_hash": "190790074810163811837393101043461937881"
        },
        "id": "CVE-2024-46735-fd6698e7"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "drivers/block/ublk_drv.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e58f5142f88320a5b1449f96a146f2f24615c5c7",
        "digest": {
            "line_hashes": [
                "155309856004456791719896638024108816314",
                "22086877834730543830280858735737678631",
                "317973001511810599460926579669774934735",
                "115516234172244913931231464520469198552"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-46735-ffbc9616"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.110
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.51
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.10