CVE-2024-49885

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49885
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49885.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-49885
Downstream
Related
Published
2024-10-21T18:01:22Z
Modified
2025-10-17T14:17:44.475204Z
Summary
mm, slub: avoid zeroing kmalloc redzone
Details

In the Linux kernel, the following vulnerability has been resolved:

mm, slub: avoid zeroing kmalloc redzone

Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"), setting origsize treats the wasted space (objectsize - origsize) as a redzone. However with initon_free=1 we clear the full object->size, including the redzone.

Additionally we clear the object metadata, including the stored origsize, making it zero, which makes checkobject() treat the whole object as a redzone.

These issues lead to the following BUG report with "slubdebug=FUZ initon_free=1":

[ 0.000000] ============================================================================= [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten [ 0.000000] ----------------------------------------------------------------------------- [ 0.000000] [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc [ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff) [ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8 [ 0.000000] [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........ [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........ [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........ [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............ [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144 [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT) [ 0.000000] Call trace: [ 0.000000] dumpbacktrace+0x90/0xe8 [ 0.000000] showstack+0x18/0x24 [ 0.000000] dumpstacklvl+0x74/0x8c [ 0.000000] dumpstack+0x18/0x24 [ 0.000000] printtrailer+0x150/0x218 [ 0.000000] checkobject+0xe4/0x454 [ 0.000000] freetopartiallist+0x2f8/0x5ec

To address the issue, use origsize to clear the used area. And restore the value of origsize after clear the remaining area.

When CONFIGSLUBDEBUG not defined, (getorigsize()' directly returns s->objectsize. So when using memset to init the area, the size can simply be origsize, as origsize returns objectsize when CONFIGSLUBDEBUG not enabled. And origsize can never be bigger than objectsize.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
946fa0dbf2d8923a587f7348adf16563d59f1b3d
Fixed
7a2e823a19746d54052c625faecf0d2d6c52ee0a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
946fa0dbf2d8923a587f7348adf16563d59f1b3d
Fixed
83f0440b2f92227fcce9898118ca7fe7e0d64b1f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
946fa0dbf2d8923a587f7348adf16563d59f1b3d
Fixed
59090e479ac78ae18facd4c58eb332562a23020e

Affected versions

v6.*

v6.1
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.10.14
Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.3