Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-40981

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/07/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: bypass empty buckets in batadv_purge_orig_ref()<br /> <br /> Many syzbot reports are pointing to soft lockups in<br /> batadv_purge_orig_ref() [1]<br /> <br /> Root cause is unknown, but we can avoid spending too much<br /> time there and perhaps get more interesting reports.<br /> <br /> [1]<br /> <br /> watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]<br /> Modules linked in:<br /> irq event stamp: 6182794<br /> hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386<br /> hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]<br /> hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551<br /> softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline]<br /> softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287<br /> softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline]<br /> softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271<br /> CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024<br /> Workqueue: bat_events batadv_purge_orig<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]<br /> pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388<br /> lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386<br /> sp : ffff800099007970<br /> x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000<br /> x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001<br /> x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4<br /> x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0<br /> x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001<br /> x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003<br /> x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000<br /> x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000<br /> x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000<br /> Call trace:<br /> __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]<br /> arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]<br /> __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386<br /> __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]<br /> _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210<br /> spin_unlock_bh include/linux/spinlock.h:396 [inline]<br /> batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287<br /> batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300<br /> process_one_work+0x694/0x1204 kernel/workqueue.c:2633<br /> process_scheduled_works kernel/workqueue.c:2706 [inline]<br /> worker_thread+0x938/0xef4 kernel/workqueue.c:2787<br /> kthread+0x288/0x310 kernel/kthread.c:388<br /> ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860<br /> Sending NMI from CPU 0 to CPUs 1:<br /> NMI backtrace for cpu 1<br /> CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51<br /> lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103<br /> sp : ffff800093a17d30<br /> x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4<br /> x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002<br /> x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000<br /> x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396<br /> x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.317 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.279 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.221 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.162 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.96 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.36 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.7 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools