CVE-2024-49885

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49885
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49885.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-49885
Downstream
Related
Published
2024-10-21T18:15:11Z
Modified
2025-08-09T20:01:25Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mm, slub: avoid zeroing kmalloc redzone

Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"), setting origsize treats the wasted space (objectsize - origsize) as a redzone. However with initon_free=1 we clear the full object->size, including the redzone.

Additionally we clear the object metadata, including the stored origsize, making it zero, which makes checkobject() treat the whole object as a redzone.

These issues lead to the following BUG report with "slubdebug=FUZ initon_free=1":

[ 0.000000] ============================================================================= [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten [ 0.000000] ----------------------------------------------------------------------------- [ 0.000000] [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc [ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff) [ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8 [ 0.000000] [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........ [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........ [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........ [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............ [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144 [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT) [ 0.000000] Call trace: [ 0.000000] dumpbacktrace+0x90/0xe8 [ 0.000000] showstack+0x18/0x24 [ 0.000000] dumpstacklvl+0x74/0x8c [ 0.000000] dumpstack+0x18/0x24 [ 0.000000] printtrailer+0x150/0x218 [ 0.000000] checkobject+0xe4/0x454 [ 0.000000] freetopartiallist+0x2f8/0x5ec

To address the issue, use origsize to clear the used area. And restore the value of origsize after clear the remaining area.

When CONFIGSLUBDEBUG not defined, (getorigsize()' directly returns s->objectsize. So when using memset to init the area, the size can simply be origsize, as origsize returns objectsize when CONFIGSLUBDEBUG not enabled. And origsize can never be bigger than objectsize.

References

Affected packages