CVE-2024-50227

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50227
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50227.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50227
Downstream
Related
Published
2024-11-09T10:14:37Z
Modified
2025-10-17T16:00:06.253643Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()
Details

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Fix KASAN reported stack out-of-bounds read in tbretimerscan()

KASAN reported following issue:

BUG: KASAN: stack-out-of-bounds in tbretimerscan+0xffe/0x1550 [thunderbolt] Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tbhandlehotplug [thunderbolt] Call Trace: <TASK> dumpstacklvl+0x6c/0x90 printreport+0xd1/0x630 kasanreport+0xdb/0x110 _asanreportload4noabort+0x14/0x20 tbretimerscan+0xffe/0x1550 [thunderbolt] tbscanport+0xa6f/0x2060 [thunderbolt] tbhandlehotplug+0x17b1/0x3080 [thunderbolt] processonework+0x626/0x1100 workerthread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 retfromfork+0x3a/0x80 retfromforkasm+0x1a/0x30

This happens because the loop variable still gets incremented by one so max becomes 3 instead of 2, and this makes the second loop read past the the array declared on the stack.

Fix this by assigning to max directly in the loop body.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ff6ab055e070d819f51196622e08f8941b6d2a4b
Fixed
08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ff6ab055e070d819f51196622e08f8941b6d2a4b
Fixed
e9e1b20fae7de06ba36dd3f8dba858157bad233d

Affected versions

v6.*

v6.10
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.12-rc1
v6.12-rc2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-50227-268a28b5",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "drivers/thunderbolt/retimer.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9e1b20fae7de06ba36dd3f8dba858157bad233d",
        "digest": {
            "line_hashes": [
                "242243053725719961489447519604753977979",
                "240882303084908302140495227114676917471",
                "1064914459455195894152568009578561188",
                "20962068472436252602356097488893275525",
                "232886250572802668677289302735308218289",
                "334619634522781217838037379168657865991",
                "117779078763793656444585084467519609762",
                "202679151300333816168592665060112594209",
                "270113586286538597755624467809894166943",
                "297317216923037651257286050251388400686"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2024-50227-66652a41",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "drivers/thunderbolt/retimer.c",
            "function": "tb_retimer_scan"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d",
        "digest": {
            "length": 739.0,
            "function_hash": "151179044207007499482176252391693986910"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2024-50227-745add61",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "drivers/thunderbolt/retimer.c",
            "function": "tb_retimer_scan"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e9e1b20fae7de06ba36dd3f8dba858157bad233d",
        "digest": {
            "length": 739.0,
            "function_hash": "151179044207007499482176252391693986910"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2024-50227-8d1d31a3",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "drivers/thunderbolt/retimer.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d",
        "digest": {
            "line_hashes": [
                "242243053725719961489447519604753977979",
                "240882303084908302140495227114676917471",
                "1064914459455195894152568009578561188",
                "20962068472436252602356097488893275525",
                "232886250572802668677289302735308218289",
                "334619634522781217838037379168657865991",
                "117779078763793656444585084467519609762",
                "202679151300333816168592665060112594209",
                "270113586286538597755624467809894166943",
                "297317216923037651257286050251388400686"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.7