Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-41065

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/07/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries: Whitelist dtl slub object for copying to userspace<br /> <br /> Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*<br /> results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as<br /> shown below.<br /> <br /> kernel BUG at mm/usercopy.c:102!<br /> Oops: Exception in kernel mode, sig: 5 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc<br /> scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse<br /> CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85<br /> Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries<br /> NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8<br /> REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)<br /> MSR: 8000000000029033 CR: 2828220f XER: 0000000e<br /> CFAR: c0000000001fdc80 IRQMASK: 0<br /> [ ... GPRs omitted ... ]<br /> NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0<br /> LR [c0000000005d23d0] usercopy_abort+0x74/0xb0<br /> Call Trace:<br /> usercopy_abort+0x74/0xb0 (unreliable)<br /> __check_heap_object+0xf8/0x120<br /> check_heap_object+0x218/0x240<br /> __check_object_size+0x84/0x1a4<br /> dtl_file_read+0x17c/0x2c4<br /> full_proxy_read+0x8c/0x110<br /> vfs_read+0xdc/0x3a0<br /> ksys_read+0x84/0x144<br /> system_call_exception+0x124/0x330<br /> system_call_vectored_common+0x15c/0x2ec<br /> --- interrupt: 3000 at 0x7fff81f3ab34<br /> <br /> Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")<br /> requires that only whitelisted areas in slab/slub objects can be copied to<br /> userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.<br /> Dtl contains hypervisor dispatch events which are expected to be read by<br /> privileged users. Hence mark this safe for user access.<br /> Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the<br /> entire object.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.281 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.223 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.164 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.101 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.42 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.11 (excluding)
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools