CVE-2024-56368

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56368
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56368.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56368
Downstream
Related
Published
2025-01-11T12:35:45Z
Modified
2025-10-17T18:14:15.679360Z
Summary
ring-buffer: Fix overflow in __rb_map_vma
Details

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Fix overflow in _rbmap_vma

An overflow occurred when performing the following calculation:

nrpages = ((nrsubbufs + 1) << subbuf_order) - pgoff;

Add a check before the calculation to avoid this problem.

syzbot reported this as a slab-out-of-bounds in _rbmap_vma:

BUG: KASAN: slab-out-of-bounds in _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836

CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xc3/0x620 mm/kasan/report.c:489 kasanreport+0xd9/0x110 mm/kasan/report.c:602 _rbmapvma+0x9ab/0xae0 kernel/trace/ringbuffer.c:7058 ringbuffermap+0x56e/0x9b0 kernel/trace/ringbuffer.c:7138 tracingbuffersmmap+0xa6/0x120 kernel/trace/trace.c:8482 callmmap include/linux/fs.h:2183 [inline] mmapfile mm/internal.h:124 [inline] _mmapnewfilevma mm/vma.c:2291 [inline] _mmapnewvma mm/vma.c:2355 [inline] _mmapregion+0x1786/0x2670 mm/vma.c:2456 mmapregion+0x127/0x320 mm/mmap.c:1348 dommap+0xc00/0xfc0 mm/mmap.c:496 vmmmappgoff+0x1ba/0x360 mm/util.c:580 ksysmmappgoff+0x32c/0x5c0 mm/mmap.c:542 _dosysmmap arch/x86/kernel/sysx8664.c:89 [inline] _sesysmmap arch/x86/kernel/sysx8664.c:82 [inline] _x64sysmmap+0x125/0x190 arch/x86/kernel/sysx8664.c:82 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

The reproducer for this bug is:

------------------------8<------------------------- #include <fcntl.h> #include <stdlib.h> #include <unistd.h> #include <asm/types.h> #include <sys/mman.h>

int main(int argc, char **argv) { int page_size = getpagesize(); int fd; void *meta;

system("echo 1 > /sys/kernel/tracing/buffer_size_kb");
fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);

meta = mmap(NULL, page_size, PROT_READ, MAP_SHARED, fd, page_size * 5);

} ------------------------>8-------------------------

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
117c39200d9d760cbd5944bb89efb7b9c51965aa
Fixed
ec12f30fe54234dd40ffee50dda8d2df10bd0871
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
117c39200d9d760cbd5944bb89efb7b9c51965aa
Fixed
c58a812c8e49ad688f94f4b050ad5c5b388fc5d2

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.7