CVE-2024-47688
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
21/10/2024
Last modified:
23/10/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
driver core: Fix a potential null-ptr-deref in module_add_driver()<br />
<br />
Inject fault while probing of-fpga-region, if kasprintf() fails in<br />
module_add_driver(), the second sysfs_remove_link() in exit path will cause<br />
null-ptr-deref as below because kernfs_name_hash() will call strlen() with<br />
NULL driver_name.<br />
<br />
Fix it by releasing resources based on the exit path sequence.<br />
<br />
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br />
Mem abort info:<br />
ESR = 0x0000000096000005<br />
EC = 0x25: DABT (current EL), IL = 32 bits<br />
SET = 0, FnV = 0<br />
EA = 0, S1PTW = 0<br />
FSC = 0x05: level 1 translation fault<br />
Data abort info:<br />
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br />
CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br />
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br />
[dfffffc000000000] address between user and kernel address ranges<br />
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br />
Dumping ftrace buffer:<br />
(ftrace buffer empty)<br />
Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]<br />
CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295<br />
Hardware name: linux,dummy-virt (DT)<br />
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
pc : strlen+0x24/0xb0<br />
lr : kernfs_name_hash+0x1c/0xc4<br />
sp : ffffffc081f97380<br />
x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0<br />
x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000<br />
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000<br />
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840<br />
x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42<br />
x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d<br />
x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000<br />
x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001<br />
x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000<br />
x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000<br />
Call trace:<br />
strlen+0x24/0xb0<br />
kernfs_name_hash+0x1c/0xc4<br />
kernfs_find_ns+0x118/0x2e8<br />
kernfs_remove_by_name_ns+0x80/0x100<br />
sysfs_remove_link+0x74/0xa8<br />
module_add_driver+0x278/0x394<br />
bus_add_driver+0x1f0/0x43c<br />
driver_register+0xf4/0x3c0<br />
__platform_driver_register+0x60/0x88<br />
of_fpga_region_init+0x20/0x1000 [of_fpga_region]<br />
do_one_initcall+0x110/0x788<br />
do_init_module+0x1dc/0x5c8<br />
load_module+0x3c38/0x4cac<br />
init_module_from_file+0xd4/0x128<br />
idempotent_init_module+0x2cc/0x528<br />
__arm64_sys_finit_module+0xac/0x100<br />
invoke_syscall+0x6c/0x258<br />
el0_svc_common.constprop.0+0x160/0x22c<br />
do_el0_svc+0x44/0x5c<br />
el0_svc+0x48/0xb8<br />
el0t_64_sync_handler+0x13c/0x158<br />
el0t_64_sync+0x190/0x194<br />
Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)<br />
---[ end trace 0000000000000000 ]---<br />
Kernel panic - not syncing: Oops: Fatal exception
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.33 (including) | 6.6.54 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9.4 (including) | 6.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.10 (including) | 6.10.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page