ghsa-8x6v-8q4g-xh9f
Vulnerability from github
Published
2024-12-02 15:31
Modified
2024-12-14 21:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: fix NULL pointer dereference in alloc_pages_bulk_noprof

We triggered a NULL pointer dereference for ac.preferred_zoneref->zone in alloc_pages_bulk_noprof() when the task is migrated between cpusets.

When cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be &current->mems_allowed. when first_zones_zonelist() is called to find preferred_zoneref, the ac->nodemask may be modified concurrently if the task is migrated between different cpusets. Assuming we have 2 NUMA Node, when traversing Node1 in ac->zonelist, the nodemask is 2, and when traversing Node2 in ac->zonelist, the nodemask is 1. As a result, the ac->preferred_zoneref points to NULL zone.

In alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a allowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading to NULL pointer dereference.

__alloc_pages_noprof() fixes this issue by checking NULL pointer in commit ea57485af8f4 ("mm, page_alloc: fix check for NULL preferred_zone") and commit df76cee6bbeb ("mm, page_alloc: remove redundant checks from alloc fastpath").

To fix it, check NULL pointer for preferred_zoneref->zone.

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-53113",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-476",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-12-02T14:15:12Z",
      severity: "MODERATE",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix NULL pointer dereference in alloc_pages_bulk_noprof\n\nWe triggered a NULL pointer dereference for ac.preferred_zoneref->zone in\nalloc_pages_bulk_noprof() when the task is migrated between cpusets.\n\nWhen cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be\n&current->mems_allowed.  when first_zones_zonelist() is called to find\npreferred_zoneref, the ac->nodemask may be modified concurrently if the\ntask is migrated between different cpusets.  Assuming we have 2 NUMA Node,\nwhen traversing Node1 in ac->zonelist, the nodemask is 2, and when\ntraversing Node2 in ac->zonelist, the nodemask is 1.  As a result, the\nac->preferred_zoneref points to NULL zone.\n\nIn alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a\nallowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading\nto NULL pointer dereference.\n\n__alloc_pages_noprof() fixes this issue by checking NULL pointer in commit\nea57485af8f4 (\"mm, page_alloc: fix check for NULL preferred_zone\") and\ncommit df76cee6bbeb (\"mm, page_alloc: remove redundant checks from alloc\nfastpath\").\n\nTo fix it, check NULL pointer for preferred_zoneref->zone.",
   id: "GHSA-8x6v-8q4g-xh9f",
   modified: "2024-12-14T21:31:33Z",
   published: "2024-12-02T15:31:39Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-53113",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/31502374627ba9ec3e710dbd0bb00457cc6d2c19",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/6addb2d9501ec866d7b3a3b4e665307c437e9be2",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/8ce41b0f9d77cca074df25afd39b86e2ee3aa68e",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/903d896448c2e50e8652aaba529a30d4d1eaa0e5",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/d0f16cec79774c3132df006cf771eddd89d08f58",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.