CVE-2024-36892
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-36892
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36892.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-36892
- Downstream
- Published
- 2024-05-30T15:28:58Z
- Modified
- 2025-10-17T05:58:41.190616Z
- Summary
- mm/slub: avoid zeroing outside-object freepointer for single free
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: avoid zeroing outside-object freepointer for single free
Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slabfree() and slabfreebulk() which leads slabfree() to call slabfreehook() directly instead of slabfreefreelist_hook().
If
init_on_freeis set, slabfreehook() zeroes the object. Afterward, ifslub_debug=FandCONFIG_SLAB_FREELIST_HARDENEDare set, the doslabfree() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object().During bulk free, slabfreefreelisthook() isn't affected as it always sets it objects freepointer using setfreepointer() to maintain its reconstructed freelist after
init_on_free.For single free, object's freepointer thus needs to be avoided when stored outside the object if
init_on_freeis set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow.To reproduce, set
slub_debug=FU init_on_free=1 log_level=7on the command line of a kernel build withCONFIG_SLAB_FREELIST_HARDENED=y.dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced284f17ac13fe34ae9eecbe57bb91553374d9b855Fixed56900355485f6e82114b18c812edd57fd7970dcb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced284f17ac13fe34ae9eecbe57bb91553374d9b855Fixed8f828aa48812ced28aa39cb3cfe55ef2444d03dd