CVE-2024-56368

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56368
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56368.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56368
Downstream
Related
Published
2025-01-11T12:35:45.719Z
Modified
2025-11-20T06:54:47.115230Z
Summary
ring-buffer: Fix overflow in __rb_map_vma
Details

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Fix overflow in _rbmap_vma

An overflow occurred when performing the following calculation:

nrpages = ((nrsubbufs + 1) << subbuf_order) - pgoff;

Add a check before the calculation to avoid this problem.

syzbot reported this as a slab-out-of-bounds in _rbmap_vma:

BUG: KASAN: slab-out-of-bounds in _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836

CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xc3/0x620 mm/kasan/report.c:489 kasanreport+0xd9/0x110 mm/kasan/report.c:602 _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 ringbuffermap+0x56e/0x9b0 kernel/trace/ringbuffer.c:7138 tracingbuffersmmap+0xa6/0x120 kernel/trace/trace.c:8482 callmmap include/linux/fs.h:2183 [inline] mmapfile mm/internal.h:124 [inline] _mmapnewfilevma mm/vma.c:2291 [inline] _mmapnewvma mm/vma.c:2355 [inline] _mmapregion+0x1786/0x2670 mm/vma.c:2456 mmapregion+0x127/0x320 mm/mmap.c:1348 dommap+0xc00/0xfc0 mm/mmap.c:496 vmmmappgoff+0x1ba/0x360 mm/util.c:580 ksysmmappgoff+0x32c/0x5c0 mm/mmap.c:542 _dosysmmap arch/x86/kernel/sysx8664.c:89 [inline] _sesysmmap arch/x86/kernel/sysx8664.c:82 [inline] _x64sysmmap+0x125/0x190 arch/x86/kernel/sysx8664.c:82 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

The reproducer for this bug is:

------------------------8<------------------------- #include <fcntl.h> #include <stdlib.h> #include <unistd.h> #include <asm/types.h> #include <sys/mman.h>

int main(int argc, char **argv) { int page_size = getpagesize(); int fd; void *meta;

system("echo 1 > /sys/kernel/tracing/buffer_size_kb");
fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);

meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);

} ------------------------>8-------------------------

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
117c39200d9d760cbd5944bb89efb7b9c51965aa
Fixed
ec12f30fe54234dd40ffee50dda8d2df10bd0871
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
117c39200d9d760cbd5944bb89efb7b9c51965aa
Fixed
c58a812c8e49ad688f94f4b050ad5c5b388fc5d2

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.9

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1428.0,
            "function_hash": "102569046395368753302898918630620010230"
        },
        "target": {
            "file": "kernel/trace/ring_buffer.c",
            "function": "__rb_map_vma"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c58a812c8e49ad688f94f4b050ad5c5b388fc5d2",
        "signature_version": "v1",
        "id": "CVE-2024-56368-0d5bc32d"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1428.0,
            "function_hash": "102569046395368753302898918630620010230"
        },
        "target": {
            "file": "kernel/trace/ring_buffer.c",
            "function": "__rb_map_vma"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ec12f30fe54234dd40ffee50dda8d2df10bd0871",
        "signature_version": "v1",
        "id": "CVE-2024-56368-11da7ea7"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "268971645855772525012907195715184063605",
                "234135681528172139840379143240764198868",
                "122120631021598759932707534066161723287",
                "301716053177866811323705383574959481531"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/trace/ring_buffer.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ec12f30fe54234dd40ffee50dda8d2df10bd0871",
        "signature_version": "v1",
        "id": "CVE-2024-56368-537d3a8a"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "268971645855772525012907195715184063605",
                "234135681528172139840379143240764198868",
                "122120631021598759932707534066161723287",
                "301716053177866811323705383574959481531"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "kernel/trace/ring_buffer.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c58a812c8e49ad688f94f4b050ad5c5b388fc5d2",
        "signature_version": "v1",
        "id": "CVE-2024-56368-c64e97f8"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.7