CVE-2024-56765

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56765
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56765.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56765
Downstream
Related
Published
2025-01-06T17:15:42Z
Modified
2025-08-09T20:01:25Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/vas: Add close() callback in vasvmops struct

The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration.

The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfigclosewindows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928

[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BADPAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dumpstacklvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] printreport+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasanreport+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] _asanload8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfigclosewindows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vasmigrationhandler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseriesmigratepartition+0x4c/0x4c4 ...

[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasansavestack+0x34/0x68 [16386.256163] kasansavetrack+0x34/0x80 [16386.256175] kasansaveallocinfo+0x58/0x74 [16386.256196] _kasanslaballoc+0xb8/0xdc [16386.256209] kmemcacheallocnoprof+0x200/0x3d0 [16386.256225] vmareaalloc+0x44/0x150 [16386.256245] mmapregion+0x214/0x10c4 [16386.256265] dommap+0x5fc/0x750 [16386.256277] vmmmappgoff+0x14c/0x24c [16386.256292] ksysmmappgoff+0x20c/0x348 [16386.256303] sysmmap+0xd0/0x160 ...

[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasansavestack+0x34/0x68 [16386.256374] kasansavetrack+0x34/0x80 [16386.256384] kasansavefreeinfo+0x64/0x10c [16386.256396] _kasanslabfree+0x120/0x204 [16386.256415] kmemcachefree+0x128/0x450 [16386.256428] vmareafreercucb+0xa8/0xd8 [16386.256441] rcudobatch+0x2c8/0xcf0 [16386.256458] rcucore+0x378/0x3c4 [16386.256473] handlesoftirqs+0x20c/0x60c [16386.256495] dosoftirqownstack+0x6c/0x88 [16386.256509] dosoftirqownstack+0x58/0x88 [16386.256521] _irqexitrcu+0x1a4/0x20c [16386.256533] irqexit+0x20/0x38 [16386.256544] interruptasyncexit_prepare.constprop.0+0x18/0x2c ...

[16386.256717] Last potentially related work creation: [16386.256729] kasansavestack+0x34/0x68 [16386.256741] _kasanrecordauxstack+0xcc/0x12c [16386.256753] _callrcucommon.constprop.0+0x94/0xd04 [16386.256766] vmareafree+0x28/0x3c [16386.256778] removevma+0xf4/0x114 [16386.256797] dovmialignmunmap.constprop.0+0x684/0x870 [16386.256811] _vmmunmap+0xe0/0x1f8 [16386.256821] sysmunmap+0x54/0x6c [16386.256830] systemcallexception+0x1a0/0x4a0 [16386.256841] systemcallvectored_common+0x15c/0x2ec

[16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vmareastruct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718)

[16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---

References

Affected packages