CVE-2024-54031

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-54031
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54031.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-54031
Downstream
Related
Published
2025-01-15T13:10:23Z
Modified
2025-10-15T20:35:24.080335Z
Summary
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftsethash: unaligned atomic read on struct nftsetext

Access to genmask field in struct nftsetext results in unaligned atomic read:

[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2 [ 72.170509] Tainted: [E]=UNSIGNEDMODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: eventspowerefficient nftrhashgc [nftables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nftrhashgc+0x200/0x2d8 [nftables] [ 72.172166] lr : nftrhashgc+0x128/0x2d8 [nftables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nftrhashgc+0x200/0x2d8 [nftables] (P) [ 72.176653] processonework+0x178/0x3d0 [ 72.176831] workerthread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] retfromfork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]---

Align struct nftsetext to word size to address this and documentation it.

pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
98d62cf0e26305dd6a1932a4054004290f4194bb
Fixed
352f8eaaabd008f09d1e176194edc261a7304084
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e21855091f11df80d41239dbc5f8545b772c657d
Fixed
6a14b46052eeb83175a95baf399283860b9d94c4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
59a59da8de47848575eedc141a74aae57696706d
Fixed
277f00b0c2dca8794cf4837722960bdc4174911f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
23a6919bb3ecf6787f060476ee6810ad55ebf9c8
Fixed
607774a13764676d4b8be9c8b9c66b8cf3469043
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
86c27603514cb8ead29857365cdd145404ee9706
Fixed
4f49349c1963e507aa37c1ec05178faeb0103959
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
be4d0ac67d92e6a285cd3eeb672188d249c121b2
Fixed
d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7ffc7481153bbabf3332c6a19b289730c7e1edf5
Fixed
542ed8145e6f9392e3d0a86a0e9027d2ffd183e4

Affected versions

v5.*

v5.10.231
v5.10.232
v5.15.174
v5.15.175
v5.4.287
v5.4.288

v6.*

v6.1.120
v6.1.121
v6.1.122
v6.1.123
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.6.66
v6.6.67
v6.6.68
v6.6.69

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.287
Fixed
5.4.289
Type
ECOSYSTEM
Events
Introduced
5.10.231
Fixed
5.10.233
Type
ECOSYSTEM
Events
Introduced
5.15.174
Fixed
5.15.176
Type
ECOSYSTEM
Events
Introduced
6.1.120
Fixed
6.1.124
Type
ECOSYSTEM
Events
Introduced
6.6.66
Fixed
6.6.70
Type
ECOSYSTEM
Events
Introduced
6.12.5
Fixed
6.12.9