Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-58019

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
27/02/2025
Last modified:
28/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvkm/gsp: correctly advance the read pointer of GSP message queue<br /> <br /> A GSP event message consists three parts: message header, RPC header,<br /> message body. GSP calculates the number of pages to write from the<br /> total size of a GSP message. This behavior can be observed from the<br /> movement of the write pointer.<br /> <br /> However, nvkm takes only the size of RPC header and message body as<br /> the message size when advancing the read pointer. When handling a<br /> two-page GSP message in the non rollback case, It wrongly takes the<br /> message body of the previous message as the message header of the next<br /> message. As the "message length" tends to be zero, in the calculation of<br /> size needs to be copied (0 - size of (message header)), the size needs to<br /> be copied will be "0xffffffxx". It also triggers a kernel panic due to a<br /> NULL pointer error.<br /> <br /> [ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@.......<br /> [ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................<br /> [ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................<br /> [ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................<br /> [ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0<br /> [ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0<br /> [ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020<br /> [ 547.669485] #PF: supervisor read access in kernel mode<br /> [ 547.674624] #PF: error_code(0x0000) - not-present page<br /> [ 547.679755] PGD 0 P4D 0<br /> [ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1<br /> [ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022<br /> [ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]<br /> [ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]<br /> [ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05<br /> [ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203<br /> [ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f<br /> [ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010<br /> [ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0<br /> [ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000<br /> [ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000<br /> [ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000<br /> [ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0<br /> [ 547.793896] PKRU: 55555554<br /> [ 547.796600] Call Trace:<br /> [ 547.799046] <br /> [ 547.801152] ? __die+0x20/0x70<br /> [ 547.804211] ? page_fault_oops+0x75/0x170<br /> [ 547.808221] ? print_hex_dump+0x100/0x160<br /> [ 547.812226] ? exc_page_fault+0x64/0x150<br /> [ 547.816152] ? asm_exc_page_fault+0x22/0x30<br /> [ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm]<br /> [ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm]<br /> [ 547.829845] process_one_work+0x196/0x3d0<br /> [ 547.833861] worker_thread+0x2fc/0x410<br /> [ 547.837613] ? __pfx_worker_thread+0x10/0x10<br /> [ 547.841885] kthread+0xdf/0x110<br /> [ 547.845031] ? __pfx_kthread+0x10/0x10<br /> [ 547.848775] ret_from_fork+0x30/0x50<br /> [ 547.852354] ? __pfx_kthread+0x10/0x10<br /> [ 547.856097] ret_from_fork_asm+0x1a/0x30<br /> [ 547.860019] <br /> [ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools