CVE-2024-26768

Severity CVSS v4.0:
Pending analysis
Type:
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
03/04/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]<br /> <br /> With default config, the value of NR_CPUS is 64. When HW platform has<br /> more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC<br /> is the maximum cpu number in MADT table (max physical number) which can<br /> exceed the supported maximum cpu number (NR_CPUS, max logical number),<br /> but kernel should not crash. Kernel should boot cpus with NR_CPUS, let<br /> the remainder cpus stay in BIOS.<br /> <br /> The potential crash reason is that the array acpi_core_pic[NR_CPUS] can<br /> be overflowed when parsing MADT table, and it is obvious that CORE_PIC<br /> should be corresponding to physical core rather than logical core, so it<br /> is better to define the array as acpi_core_pic[MAX_CORE_PIC].<br /> <br /> With the patch, system can boot up 64 vcpus with qemu parameter -smp 128,<br /> otherwise system will crash with the following message.<br /> <br /> [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec<br /> [ 0.000000] Oops[#1]:<br /> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192<br /> [ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022<br /> [ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60<br /> [ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8<br /> [ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005<br /> [ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001<br /> [ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063<br /> [ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98<br /> [ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90<br /> [ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330<br /> [ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250<br /> [ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94<br /> [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)<br /> [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)<br /> [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)<br /> [ 0.000000] ECFG: 00070800 (LIE=11 VS=7)<br /> [ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)<br /> [ 0.000000] BADV: 0000420000004259<br /> [ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)<br /> [ 0.000000] Modules linked in:<br /> [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))<br /> [ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec<br /> [ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000<br /> [ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60<br /> [ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000<br /> [ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c<br /> [ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08<br /> [ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018<br /> [ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000<br /> [ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000<br /> [ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000<br /> [ 0.000000] ...<br /> [ 0.000000] Call Trace:<br /> [ 0.000000] [] efi_runtime_init+0x30/0x94<br /> [ 0.000000] [] platform_init+0x214/0x250<br /> [ 0.000000] [] setup_arch+0x124/0x45c<br /> [ 0.000000] [] start_kernel+0x90/0x670<br /> [ 0.000000] [] kernel_entry+0xd8/0xdc

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 6.6.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.7.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*