CVE-2024-39301

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-39301
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39301.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-39301
Downstream
Related
Published
2024-06-25T14:22:41.566Z
Modified
2026-03-13T07:56:59.074021Z
Summary
net/9p: fix uninit-value in p9_client_rpc()
Details

In the Linux kernel, the following vulnerability has been resolved:

net/9p: fix uninit-value in p9clientrpc()

Syzbot with the help of KMSAN reported the following error:

BUG: KMSAN: uninit-value in trace9pclientres include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9clientrpc+0x1314/0x1340 net/9p/client.c:754 trace9pclientres include/trace/events/9p.h:146 [inline] p9clientrpc+0x1314/0x1340 net/9p/client.c:754 p9clientcreate+0x1551/0x1ff0 net/9p/client.c:1031 v9fssessioninit+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fsmount+0xe2/0x12b0 fs/9p/vfssuper.c:122 legacygettree+0x114/0x290 fs/fscontext.c:662 vfsgettree+0xa7/0x570 fs/super.c:1797 donewmount+0x71f/0x15e0 fs/namespace.c:3352 pathmount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __dosysmount fs/namespace.c:3898 [inline] __sesysmount+0x725/0x810 fs/namespace.c:3875 __x64sysmount+0xe4/0x150 fs/namespace.c:3875 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

Uninit was created at: __allocpages+0x9d6/0xe70 mm/pagealloc.c:4598 __allocpagesnode include/linux/gfp.h:238 [inline] allocpagesnode include/linux/gfp.h:261 [inline] allocslabpage mm/slub.c:2175 [inline] allocateslab mm/slub.c:2338 [inline] newslab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slaballocnode mm/slub.c:3663 [inline] slaballocnode mm/slub.c:3835 [inline] kmemcachealloc+0x6d3/0xbe0 mm/slub.c:3852 p9tagalloc net/9p/client.c:278 [inline] p9clientpreparereq+0x20a/0x1770 net/9p/client.c:641 p9clientrpc+0x27e/0x1340 net/9p/client.c:688 p9clientcreate+0x1551/0x1ff0 net/9p/client.c:1031 v9fssessioninit+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fsmount+0xe2/0x12b0 fs/9p/vfssuper.c:122 legacygettree+0x114/0x290 fs/fscontext.c:662 vfsgettree+0xa7/0x570 fs/super.c:1797 donewmount+0x71f/0x15e0 fs/namespace.c:3352 pathmount+0x742/0x1f20 fs/namespace.c:3679 domount fs/namespace.c:3692 [inline] __dosysmount fs/namespace.c:3898 [inline] __sesysmount+0x725/0x810 fs/namespace.c:3875 __x64sysmount+0xe4/0x150 fs/namespace.c:3875 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

If p9checkerrors() fails early in p9clientrpc(), req->rc.tag will not be properly initialized. However, trace9pclientres() ends up trying to print it out anyway before p9client_rpc() finishes.

Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39301.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
348b59012e5c6402741d067cf6eeeb6271999d06
Fixed
72c5d8e416ecc46af370a1340b3db5ff0b0cc867
Fixed
2101901dd58c6da4924bc5efb217a1d83436290b
Fixed
124947855564572713d705a13be7d0c9dae16a17
Fixed
89969ffbeb948ffc159d19252e7469490103011b
Fixed
ca71f204711ad24113e8b344dc5bb8b0385f5672
Fixed
6c1791130b781c843572fb6391c4a4c5d857ab17
Fixed
fe5c604053c36c62af24eee8a76407d026ea5163
Fixed
25460d6f39024cc3b8241b14c7ccf0d6f11a736a

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39301.json"