CVE-2024-49886

Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds". kasan report: [ 19.411889] ================================================================== [ 19.413702] BUG: KASAN: slab-out-of-bounds in isstifgetpcidev+0x3d5/0x400 [isstifcommon] [ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113 [ 19.417368] [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10 [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 19.422687] Call Trace: [ 19.424091] <TASK> [ 19.425448] dumpstacklvl+0x5d/0x80 [ 19.426963] ? _isstifgetpcidev+0x3d5/0x400 [isstifcommon] [ 19.428694] printreport+0x19d/0x52e [ 19.430206] ? pfxrawspinlockirqsave+0x10/0x10 [ 19.431837] ? _isstifgetpcidev+0x3d5/0x400 [isstifcommon] [ 19.433539] kasanreport+0xf0/0x170 [ 19.435019] ? isstifgetpcidev+0x3d5/0x400 [isstifcommon] [ 19.436709] _isstifgetpcidev+0x3d5/0x400 [isstifcommon] [ 19.438379] ? _pfxschedclockcpu+0x10/0x10 [ 19.439910] isstifcpuonline+0x406/0x58f [isstifcommon] [ 19.441573] ? _pfxisstifcpuonline+0x10/0x10 [isstifcommon] [ 19.443263] ? ttwuqueuewakelist+0x2c1/0x360 [ 19.444797] cpuhpinvokecallback+0x221/0xec0 [ 19.446337] cpuhpthreadfun+0x21b/0x610 [ 19.447814] ? _pfxcpuhpthreadfun+0x10/0x10 [ 19.449354] smpbootthreadfn+0x2e7/0x6e0 [ 19.450859] ? _pfxsmpbootthreadfn+0x10/0x10 [ 19.452405] kthread+0x29c/0x350 [ 19.453817] ? _pfxkthread+0x10/0x10 [ 19.455253] retfromfork+0x31/0x70 [ 19.456685] ? _pfxkthread+0x10/0x10 [ 19.458114] retfromforkasm+0x1a/0x30 [ 19.459573] </TASK> [ 19.460853] [ 19.462055] Allocated by task 1198: [ 19.463410] kasansavestack+0x30/0x50 [ 19.464788] kasansavetrack+0x14/0x30 [ 19.466139] _kasankmalloc+0xaa/0xb0 [ 19.467465] _kmalloc+0x1cd/0x470 [ 19.468748] isstifcdevregister+0x1da/0x350 [isstifcommon] [ 19.470233] isstifmboxinit+0x108/0xff0 [isstifmboxmsr] [ 19.471670] dooneinitcall+0xa4/0x380 [ 19.472903] doinitmodule+0x238/0x760 [ 19.474105] loadmodule+0x5239/0x6f00 [ 19.475285] initmodulefromfile+0xd1/0x130 [ 19.476506] idempotentinitmodule+0x23b/0x650 [ 19.477725] _x64sysfinitmodule+0xbe/0x130 [ 19.476506] idempotentinitmodule+0x23b/0x650 [ 19.477725] _x64sysfinitmodule+0xbe/0x130 [ 19.478920] dosyscall64+0x82/0x160 [ 19.480036] entrySYSCALL64afterhwframe+0x76/0x7e [ 19.481292] [ 19.482205] The buggy address belongs to the object at ffff888829e65000 which belongs to the cache kmalloc-512 of size 512 [ 19.484818] The buggy address is located 0 bytes to the right of allocated 512-byte region [ffff888829e65000, ffff888829e65200) [ 19.487447] [ 19.488328] The buggy address belongs to the physical page: [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60 [ 19.491140] head: order:3 entiremapcount:0 nrpagesmapped:0 pincount:0 [ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [ 19.493914] pagetype: 0xffffffff() [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff [ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 19.503784] page dumped because: k ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

017a634f9f38ae704d9d57817555773de700219e

Fixed

1973c4d8ee0782a808303d75e3be9c12baaacd97

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Fixed

cdd03afcb6eda3103da5a0948d3db12372f62910

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Fixed

8176d4878ed2af5d93ddd0e971e24c412124d38b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Fixed

cebc705b097d5c16469b141a25e840161d1c517a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Fixed

afa7f78d9a907cfded6c98c91aae2bf7b3b56e51

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a1aac8a96dc014bec49806a7a964bf2fdbd315f

Fixed

7d59ac07ccb58f8f604f8057db63b8efcebeb3de

Affected versions

v5.*

v5.15.115

v5.15.116

v5.15.117

v5.15.118

v5.15.119

v5.15.120

v5.15.121

v5.15.122

v5.15.123

v5.15.124

v5.15.125

v5.15.126

v5.15.127

v5.15.128

v5.15.129

v5.15.130

v5.15.131

v5.15.132

v5.15.133

v5.15.134

v5.15.135

v5.15.136

v5.15.137

v5.15.138

v5.15.139

v5.15.140

v5.15.141

v5.15.142

v5.15.143

v5.15.144

v5.15.145

v5.15.146

v5.15.147

v5.15.148

v5.15.149

v5.15.150

v5.15.151

v5.15.152

v5.15.153

v5.15.154

v5.15.155

v5.15.156

v5.15.157

v5.15.158

v5.15.159

v5.15.160

v5.15.161

v5.15.162

v5.15.163

v5.15.164

v5.15.165

v5.15.166

v5.15.167

v5.19

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.11

v6.1.110

v6.1.111

v6.1.112

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.10.1

v6.10.10

v6.10.11

v6.10.12

v6.10.13

v6.10.2

v6.10.3

v6.10.4

v6.10.5

v6.10.6

v6.10.7

v6.10.8

v6.10.9

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.2

v6.12-rc1

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.168

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.113

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.6.55

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.10.14

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.11.3