CVE-2024-46847

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: vmalloc: ensure vmap_block is initialised before adding to queue<br /> <br /> Commit 8c61291fd850 ("mm: fix incorrect vbq reference in<br /> purge_fragmented_block") extended the &amp;#39;vmap_block&amp;#39; structure to contain a<br /> &amp;#39;cpu&amp;#39; field which is set at allocation time to the id of the initialising<br /> CPU.<br /> <br /> When a new &amp;#39;vmap_block&amp;#39; is being instantiated by new_vmap_block(), the<br /> partially initialised structure is added to the local &amp;#39;vmap_block_queue&amp;#39;<br /> xarray before the &amp;#39;cpu&amp;#39; field has been initialised. If another CPU is<br /> concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it<br /> may perform an out-of-bounds access to the remote queue thanks to an<br /> uninitialised index.<br /> <br /> This has been observed as UBSAN errors in Android:<br /> <br /> | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP<br /> |<br /> | Call trace:<br /> | purge_fragmented_block+0x204/0x21c<br /> | _vm_unmap_aliases+0x170/0x378<br /> | vm_unmap_aliases+0x1c/0x28<br /> | change_memory_common+0x1dc/0x26c<br /> | set_memory_ro+0x18/0x24<br /> | module_enable_ro+0x98/0x238<br /> | do_init_module+0x1b0/0x310<br /> <br /> Move the initialisation of &amp;#39;vb-&gt;cpu&amp;#39; in new_vmap_block() ahead of the<br /> addition to the xarray.