CVE-2024-56765

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56765
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56765.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56765
Related
Published
2025-01-06T17:15:42Z
Modified
2025-01-16T05:48:18.821478Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/vas: Add close() callback in vasvmops struct

The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration.

The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfigclosewindows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928

[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BADPAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dumpstacklvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] printreport+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasanreport+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] _asanload8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfigclosewindows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vasmigrationhandler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseriesmigratepartition+0x4c/0x4c4 ...

[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasansavestack+0x34/0x68 [16386.256163] kasansavetrack+0x34/0x80 [16386.256175] kasansaveallocinfo+0x58/0x74 [16386.256196] _kasanslaballoc+0xb8/0xdc [16386.256209] kmemcacheallocnoprof+0x200/0x3d0 [16386.256225] vmareaalloc+0x44/0x150 [16386.256245] mmapregion+0x214/0x10c4 [16386.256265] dommap+0x5fc/0x750 [16386.256277] vmmmappgoff+0x14c/0x24c [16386.256292] ksysmmappgoff+0x20c/0x348 [16386.256303] sysmmap+0xd0/0x160 ...

[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasansavestack+0x34/0x68 [16386.256374] kasansavetrack+0x34/0x80 [16386.256384] kasansavefreeinfo+0x64/0x10c [16386.256396] _kasanslabfree+0x120/0x204 [16386.256415] kmemcachefree+0x128/0x450 [16386.256428] vmareafreercucb+0xa8/0xd8 [16386.256441] rcudobatch+0x2c8/0xcf0 [16386.256458] rcucore+0x378/0x3c4 [16386.256473] handlesoftirqs+0x20c/0x60c [16386.256495] dosoftirqownstack+0x6c/0x88 [16386.256509] dosoftirqownstack+0x58/0x88 [16386.256521] _irqexitrcu+0x1a4/0x20c [16386.256533] irqexit+0x20/0x38 [16386.256544] interruptasyncexit_prepare.constprop.0+0x18/0x2c ...

[16386.256717] Last potentially related work creation: [16386.256729] kasansavestack+0x34/0x68 [16386.256741] _kasanrecordauxstack+0xcc/0x12c [16386.256753] _callrcucommon.constprop.0+0x94/0xd04 [16386.256766] vmareafree+0x28/0x3c [16386.256778] removevma+0xf4/0x114 [16386.256797] dovmialignmunmap.constprop.0+0x684/0x870 [16386.256811] _vmmunmap+0xe0/0x1f8 [16386.256821] sysmunmap+0x54/0x6c [16386.256830] systemcallexception+0x1a0/0x4a0 [16386.256841] systemcallvectored_common+0x15c/0x2ec

[16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vmareastruct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718)

[16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.123-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1
6.10.11-1
6.10.12-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1
6.11-1~exp1
6.11.2-1
6.11.4-1
6.11.5-1~bpo12+1
6.11.5-1
6.11.6-1
6.11.7-1
6.11.9-1
6.11.10-1~bpo12+1
6.11.10-1
6.12~rc6-1~exp1
6.12.3-1
6.12.5-1
6.12.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}