CVE-2024-26768
Severity CVSS v4.0:
Pending analysis
Type:
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
03/04/2024
Last modified:
04/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]<br />
<br />
With default config, the value of NR_CPUS is 64. When HW platform has<br />
more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC<br />
is the maximum cpu number in MADT table (max physical number) which can<br />
exceed the supported maximum cpu number (NR_CPUS, max logical number),<br />
but kernel should not crash. Kernel should boot cpus with NR_CPUS, let<br />
the remainder cpus stay in BIOS.<br />
<br />
The potential crash reason is that the array acpi_core_pic[NR_CPUS] can<br />
be overflowed when parsing MADT table, and it is obvious that CORE_PIC<br />
should be corresponding to physical core rather than logical core, so it<br />
is better to define the array as acpi_core_pic[MAX_CORE_PIC].<br />
<br />
With the patch, system can boot up 64 vcpus with qemu parameter -smp 128,<br />
otherwise system will crash with the following message.<br />
<br />
[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec<br />
[ 0.000000] Oops[#1]:<br />
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192<br />
[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022<br />
[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60<br />
[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8<br />
[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005<br />
[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001<br />
[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063<br />
[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98<br />
[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90<br />
[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330<br />
[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250<br />
[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94<br />
[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)<br />
[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)<br />
[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)<br />
[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)<br />
[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)<br />
[ 0.000000] BADV: 0000420000004259<br />
[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)<br />
[ 0.000000] Modules linked in:<br />
[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))<br />
[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec<br />
[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000<br />
[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60<br />
[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000<br />
[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c<br />
[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08<br />
[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018<br />
[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000<br />
[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000<br />
[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000<br />
[ 0.000000] ...<br />
[ 0.000000] Call Trace:<br />
[ 0.000000] [] efi_runtime_init+0x30/0x94<br />
[ 0.000000] [] platform_init+0x214/0x250<br />
[ 0.000000] [] setup_arch+0x124/0x45c<br />
[ 0.000000] [] start_kernel+0x90/0x670<br />
[ 0.000000] [] kernel_entry+0xd8/0xdc
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19 (including) | 6.6.19 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.7 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
- https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe
- https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280
- https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
- https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe
- https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280