Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-36892

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
30/05/2024
Last modified:
18/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/slub: avoid zeroing outside-object freepointer for single free<br /> <br /> Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing<br /> separately") splits single and bulk object freeing in two functions<br /> slab_free() and slab_free_bulk() which leads slab_free() to call<br /> slab_free_hook() directly instead of slab_free_freelist_hook().<br /> <br /> If `init_on_free` is set, slab_free_hook() zeroes the object.<br /> Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are<br /> set, the do_slab_free() slowpath executes freelist consistency<br /> checks and try to decode a zeroed freepointer which leads to a<br /> "Freepointer corrupt" detection in check_object().<br /> <br /> During bulk free, slab_free_freelist_hook() isn&amp;#39;t affected as it always<br /> sets it objects freepointer using set_freepointer() to maintain its<br /> reconstructed freelist after `init_on_free`.<br /> <br /> For single free, object&amp;#39;s freepointer thus needs to be avoided when<br /> stored outside the object if `init_on_free` is set. The freepointer left<br /> as is, check_object() may later detect an invalid pointer value due to<br /> objects overflow.<br /> <br /> To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the<br /> command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.<br /> <br /> dmesg sample log:<br /> [ 10.708715] =============================================================================<br /> [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt<br /> [ 10.712695] -----------------------------------------------------------------------------<br /> [ 10.712695]<br /> [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)<br /> [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c<br /> [ 10.716698]<br /> [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 ....<br /> [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.8 (including) 6.8.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools