fkie_cve-2024-36892
Vulnerability from fkie_nvd
Published
2024-05-30 16:15
Modified
2024-11-21 09:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid zeroing outside-object freepointer for single free Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slab_free() and slab_free_bulk() which leads slab_free() to call slab_free_hook() directly instead of slab_free_freelist_hook(). If `init_on_free` is set, slab_free_hook() zeroes the object. Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are set, the do_slab_free() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object(). During bulk free, slab_free_freelist_hook() isn't affected as it always sets it objects freepointer using set_freepointer() to maintain its reconstructed freelist after `init_on_free`. For single free, object's freepointer thus needs to be avoided when stored outside the object if `init_on_free` is set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow. To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`. dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid zeroing outside-object freepointer for single free\n\nCommit 284f17ac13fe (\"mm/slub: handle bulk and single object freeing\nseparately\") splits single and bulk object freeing in two functions\nslab_free() and slab_free_bulk() which leads slab_free() to call\nslab_free_hook() directly instead of slab_free_freelist_hook().\n\nIf `init_on_free` is set, slab_free_hook() zeroes the object.\nAfterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are\nset, the do_slab_free() slowpath executes freelist consistency\nchecks and try to decode a zeroed freepointer which leads to a\n\"Freepointer corrupt\" detection in check_object().\n\nDuring bulk free, slab_free_freelist_hook() isn\u0027t affected as it always\nsets it objects freepointer using set_freepointer() to maintain its\nreconstructed freelist after `init_on_free`.\n\nFor single free, object\u0027s freepointer thus needs to be avoided when\nstored outside the object if `init_on_free` is set. The freepointer left\nas is, check_object() may later detect an invalid pointer value due to\nobjects overflow.\n\nTo reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the\ncommand line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.\n\ndmesg sample log:\n[   10.708715] =============================================================================\n[   10.710323] BUG kmalloc-rnd-05-32 (Tainted: G    B           T ): Freepointer corrupt\n[   10.712695] -----------------------------------------------------------------------------\n[   10.712695]\n[   10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)\n[   10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c\n[   10.716698]\n[   10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.720703] Object   ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.720703] Object   ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.724696] Padding  ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n[   10.724696] Padding  ffff9d9a8035667c: 00 00 00 00                                      ....\n[   10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/slub: evita poner a cero el puntero libre de objetos externos para un solo commit libre 284f17ac13fe (\"mm/slub: maneja la liberaci\u00f3n masiva y de objetos individuales por separado\") divide la liberaci\u00f3n de objetos \u00fanicos y masivos en dos funciones slab_free() y slab_free_bulk() lo que lleva a slab_free() a llamar a slab_free_hook() directamente en lugar de slab_free_freelist_hook(). Si se establece `init_on_free`, slab_free_hook() pone a cero el objeto. Luego, si se configuran `slub_debug=F` y `CONFIG_SLAB_FREELIST_HARDENED`, la ruta lenta do_slab_free() ejecuta comprobaciones de coherencia de la lista libre e intenta decodificar un freepointer puesto a cero, lo que conduce a una detecci\u00f3n de \"Freepointer corrupto\" en check_object(). Durante la liberaci\u00f3n masiva, slab_free_freelist_hook() no se ve afectado ya que siempre establece el puntero libre de sus objetos usando set_freepointer() para mantener su lista libre reconstruida despu\u00e9s de `init_on_free`. Para un solo libre, el puntero libre del objeto debe evitarse cuando se almacena fuera del objeto si est\u00e1 configurado \"init_on_free\". El puntero libre se deja como est\u00e1, check_object() puede detectar m\u00e1s adelante un valor de puntero no v\u00e1lido debido a un desbordamiento de objetos. Para reproducir, configure `slub_debug=FU init_on_free=1 log_level=7` en la l\u00ednea de comando de una compilaci\u00f3n del kernel con `CONFIG_SLAB_FREELIST_HARDENED=y`. Registro de muestra de dmesg: [10.708715] ============================================ ================================== [10.710323] ERROR kmalloc-rnd-05-32 (Contaminado: GBT) : Freepointer corrupto [10.712695] -------------------------------------------- --------------------------------- [ 10.712695] [ 10.712695] Losa 0xffffd8bdc400d580 objetos=32 usados=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Objeto 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Objeto ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [ 10.720703] Objeto ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Relleno ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Relleno ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696 ] FIX kmalloc-rnd-05-32: Objeto en 0xffff9d9a80356600 no liberado"
    }
  ],
  "id": "CVE-2024-36892",
  "lastModified": "2024-11-21T09:22:44.947",
  "metrics": {},
  "published": "2024-05-30T16:15:12.680",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.