Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-39371

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
25/06/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: check for non-NULL file pointer in io_file_can_poll()<br /> <br /> In earlier kernels, it was possible to trigger a NULL pointer<br /> dereference off the forced async preparation path, if no file had<br /> been assigned. The trace leading to that looks as follows:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000000b0<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022<br /> RIP: 0010:io_buffer_select+0xc3/0x210<br /> Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b<br /> RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246<br /> RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040<br /> RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700<br /> RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020<br /> R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8<br /> R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000<br /> FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0<br /> Call Trace:<br /> <br /> ? __die+0x1f/0x60<br /> ? page_fault_oops+0x14d/0x420<br /> ? do_user_addr_fault+0x61/0x6a0<br /> ? exc_page_fault+0x6c/0x150<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? io_buffer_select+0xc3/0x210<br /> __io_import_iovec+0xb5/0x120<br /> io_readv_prep_async+0x36/0x70<br /> io_queue_sqe_fallback+0x20/0x260<br /> io_submit_sqes+0x314/0x630<br /> __do_sys_io_uring_enter+0x339/0xbc0<br /> ? __do_sys_io_uring_register+0x11b/0xc50<br /> ? vm_mmap_pgoff+0xce/0x160<br /> do_syscall_64+0x5f/0x180<br /> entry_SYSCALL_64_after_hwframe+0x46/0x4e<br /> RIP: 0033:0x55e0a110a67e<br /> Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6<br /> <br /> because the request is marked forced ASYNC and has a bad file fd, and<br /> hence takes the forced async prep path.<br /> <br /> Current kernels with the request async prep cleaned up can no longer hit<br /> this issue, but for ease of backporting, let&amp;#39;s add this safety check in<br /> here too as it really doesn&amp;#39;t hurt. For both cases, this will inevitably<br /> end with a CQE posted with -EBADF.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 6.1.95 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.35 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools