CVE-2024-38661

Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (apparsebitmapstr+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616

0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] apparsebitmapstr+0x10e/0x1f8 ([<0000014b75e7b5dc>] apparsebitmapstr+0xe4/0x1f8) [<0000014b75e7b758>] apmaskstore+0x68/0x140 [<0000014b75679196>] kernfsfopwriteiter+0x14e/0x1e8 [<0000014b75598524>] vfswrite+0x1b4/0x448 [<0000014b7559894c>] ksyswrite+0x74/0x100 [<0000014b7618a440>] _dosyscall+0x268/0x328 [<0000014b761a3558>] systemcall+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] apparsebitmapstr+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: paniconoops

occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.

The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38661.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3d8f60d38e249f989a7fca9c2370c31c3d5487e1

Fixed

2062e3f1f2374102f8014d7ca286b9aa527bd558

Fixed

7c72af16abf2ec7520407098360bbba312289e05

Fixed

7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0

Fixed

67011123453b91ec03671d40712fa213e94a01b9

Fixed

8c5f5911c1b13170d3404eb992c6a0deaa8d81ad

Fixed

4c0bfb4e867c1ec6616a5049bd3618021e127056

Fixed

7dabe54a016defe11bb2a278cd9f1ff6db3feba6

Fixed

d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38661.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.19.0

Fixed

4.19.316

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.278

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.219

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.161

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.94

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.34

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.9.5

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38661.json"