Release Date: | 2024-07-10 |
In the Linux kernel, the following vulnerability has been resolved:\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\nstruct bug_entry {\nsigned int bug_addr_disp;// 4 bytes\nsigned int file_disp;// 4 bytes\nunsigned short line;// 2 bytes\nunsigned short flags;// 2 bytes\n}\n... with 12 bytes total, requiring 4-byte alignment.\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\nstruct bug_entry {\nsigned int bug_addr_disp;// 4 bytes\nunsigned short flags;// 2 bytes\n< implicit padding >// 2 bytes\n}\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\nfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\nif (bugaddr == bug_addr(bug))\nreturn bug;\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\nmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\nsechdrs[i].sh_size == 6\nsizeof(struct bug_entry) == 8;\nsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\nConsequently module_find_bug() will miss the last bug_entry when it does:\nfor (i = 0; i < mod->num_bugs; ++i, ++bug)\nif (bugaddr == bug_addr(bug))\ngoto out;\n... which can lead to a kenrel panic due to an unhandled bug.\nThis can be demonstrated with the following module:\nstatic int __init buginit(void)\n{\nWARN(1, 'hello\n');\nreturn 0;\n}\nstatic void __exit bugexit(void)\n{\n}\nmodule_init(buginit);\nmodule_exit(bugexit);\nMODULE_LICENSE('GPL');\n... which will trigger a kernel panic when loaded:\n------------[ cut here ]------------\nhello\nUnexpected kernel BRK exception at EL1\nInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in: hello(O+)\nCPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8\nHardware name: linux,dummy-virt (DT)\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : buginit+0x18/0x1000 [hello]\nlr : buginit+0x18/0x1000 [hello]\nsp : ffff800080533ae0\nx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\nx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\nx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\nx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\nx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\nx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\nx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\nx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\nx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\nCall trace:\nbuginit+0x18/0x1000 [hello]\ndo_one_initcall+0x80/0x1c8\ndo_init_module+0x60/0x218\nload_module+0x1ba4/0x1d70\n__do_sys_init_module+0x198/0x1d0\n__arm64_sys_init_module+0x1c/0x28\ninvoke_syscall+0x48/0x114\nel0_svc\n---truncated---
See more information about CVE-2024-39488 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Attack Vector: | Local network | Attack Complexity: | Low |
Privileges Required: | Low | User Interaction: | None |
Scope: | Unchanged | Confidentiality Impact: | None |
Integrity Impact: | None | Availability Impact: | High |
Platform | Errata | Release Date |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12581 | 2024-08-12 |
Oracle Linux version 7 (kernel-uek) | ELSA-2024-12611 | 2024-09-11 |
Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12585 | 2024-08-12 |
Oracle Linux version 8 (kernel-uek) | ELSA-2024-12581 | 2024-08-12 |
Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12584 | 2024-08-12 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections: