CVE-2024-46847
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-46847
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46847.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-46847
- Related
- Published
- 2024-09-27T13:15:16Z
- Modified
- 2024-10-02T14:45:34.430249Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm: vmalloc: ensure vmap_block is initialised before adding to queue
Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purgefragmentedblock") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU.
When a new 'vmapblock' is being instantiated by newvmapblock(), the partially initialised structure is added to the local 'vmapblockqueue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vmunmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index.
This has been observed as UBSAN errors in Android:
| Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purgefragmentedblock+0x204/0x21c | vmunmapaliases+0x170/0x378 | vmunmapaliases+0x1c/0x28 | changememorycommon+0x1dc/0x26c | setmemoryro+0x18/0x24 | moduleenablero+0x98/0x238 | doinit_module+0x1b0/0x310
Move the initialisation of 'vb->cpu' in newvmapblock() ahead of the addition to the xarray.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.10.11-1