CVE-2024-53097
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/11/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm: krealloc: Fix MTE false alarm in __do_krealloc<br />
<br />
This patch addresses an issue introduced by commit 1a83a716ec233 ("mm:<br />
krealloc: consider spare memory for __GFP_ZERO") which causes MTE<br />
(Memory Tagging Extension) to falsely report a slab-out-of-bounds error.<br />
<br />
The problem occurs when zeroing out spare memory in __do_krealloc. The<br />
original code only considered software-based KASAN and did not account<br />
for MTE. It does not reset the KASAN tag before calling memset, leading<br />
to a mismatch between the pointer tag and the memory tag, resulting<br />
in a false positive.<br />
<br />
Example of the error:<br />
==================================================================<br />
swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188<br />
swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1<br />
swapper/0: Pointer tag: [f4], memory tag: [fe]<br />
swapper/0:<br />
swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.<br />
swapper/0: Hardware name: MT6991(ENG) (DT)<br />
swapper/0: Call trace:<br />
swapper/0: dump_backtrace+0xfc/0x17c<br />
swapper/0: show_stack+0x18/0x28<br />
swapper/0: dump_stack_lvl+0x40/0xa0<br />
swapper/0: print_report+0x1b8/0x71c<br />
swapper/0: kasan_report+0xec/0x14c<br />
swapper/0: __do_kernel_fault+0x60/0x29c<br />
swapper/0: do_bad_area+0x30/0xdc<br />
swapper/0: do_tag_check_fault+0x20/0x34<br />
swapper/0: do_mem_abort+0x58/0x104<br />
swapper/0: el1_abort+0x3c/0x5c<br />
swapper/0: el1h_64_sync_handler+0x80/0xcc<br />
swapper/0: el1h_64_sync+0x68/0x6c<br />
swapper/0: __memset+0x84/0x188<br />
swapper/0: btf_populate_kfunc_set+0x280/0x3d8<br />
swapper/0: __register_btf_kfunc_id_set+0x43c/0x468<br />
swapper/0: register_btf_kfunc_id_set+0x48/0x60<br />
swapper/0: register_nf_nat_bpf+0x1c/0x40<br />
swapper/0: nf_nat_init+0xc0/0x128<br />
swapper/0: do_one_initcall+0x184/0x464<br />
swapper/0: do_initcall_level+0xdc/0x1b0<br />
swapper/0: do_initcalls+0x70/0xc0<br />
swapper/0: do_basic_setup+0x1c/0x28<br />
swapper/0: kernel_init_freeable+0x144/0x1b8<br />
swapper/0: kernel_init+0x20/0x1a8<br />
swapper/0: ret_from_fork+0x10/0x20<br />
==================================================================
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.227 (including) | 5.10.230 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.168 (including) | 5.15.173 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.113 (including) | 6.1.118 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.55 (including) | 6.6.62 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.3 (including) | 6.11.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.10.14:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3dfb40da84f26dd35dd9bbaf626a2424565b8406
- https://git.kernel.org/stable/c/486aeb5f1855c75dd810c25036134961bd2a6722
- https://git.kernel.org/stable/c/704573851b51808b45dae2d62059d1d8189138a2
- https://git.kernel.org/stable/c/71548fada7ee0eb50cc6ccda82dff010c745f92c
- https://git.kernel.org/stable/c/8ebee7565effdeae6085458f8f8463363120a871
- https://git.kernel.org/stable/c/d02492863023431c31f85d570f718433c22b9311
- https://git.kernel.org/stable/c/d43f1430d47c22a0727c05b6f156ed25fecdfeb4
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html