CVE-2024-36000

Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlbcgroupunchargefoliorsvd() will update the cgroup pointer, so it requires to be called with the lock held.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36000.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

79aa925bf239c234be8586780e482872dc4690dd

Fixed

4c806333efea1000a2a9620926f560ad2e1ca7cc

Fixed

f6c5d21db16a0910152ec8aa9d5a7aed72694505

Fixed

538faabf31e9c53d8c870d114846fda958a0de10

Fixed

b76b46902c2d0395488c8412e1116c2486cdfcb2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

f87004c0b2bdf0f1066b88795d8e6c1dfad6cea0

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.10.0

Fixed

6.1.91

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.30

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.8.9