CVE-2024-41098

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-core: Fix null pointer dereference on error<br /> <br /> If the ata_port_alloc() call in ata_host_alloc() fails,<br /> ata_host_release() will get called.<br /> <br /> However, the code in ata_host_release() tries to free ata_port struct<br /> members unconditionally, which can lead to the following:<br /> <br /> BUG: unable to handle page fault for address: 0000000000003990<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014<br /> RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]<br /> Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41<br /> RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246<br /> RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0<br /> RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68<br /> R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004<br /> R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006<br /> FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x19/0x27<br /> ? page_fault_oops+0x15a/0x2f0<br /> ? exc_page_fault+0x7e/0x180<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? ata_host_release.cold+0x2f/0x6e [libata]<br /> ? ata_host_release.cold+0x2f/0x6e [libata]<br /> release_nodes+0x35/0xb0<br /> devres_release_group+0x113/0x140<br /> ata_host_alloc+0xed/0x120 [libata]<br /> ata_host_alloc_pinfo+0x14/0xa0 [libata]<br /> ahci_init_one+0x6c9/0xd20 [ahci]<br /> <br /> Do not access ata_port struct members unconditionally.