CVE-2024-50301

CVE Details

Release Date:

2024-11-19

Description

In the Linux kernel, the following vulnerability has been resolved:\nsecurity/keys: fix slab-out-of-bounds in key_task_permission\nKASAN reports an out of bounds read:\nBUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36\nBUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]\nBUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410\nsecurity/keys/permission.c:54\nRead of size 4 at addr ffff88813c3ab618 by task stress-ng/4362\nCPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15\nCall Trace:\n__dump_stack lib/dump_stack.c:82 [inline]\ndump_stack+0x107/0x167 lib/dump_stack.c:123\nprint_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400\n__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\nkasan_report+0x3a/0x50 mm/kasan/report.c:585\n__kuid_val include/linux/uidgid.h:36 [inline]\nuid_eq include/linux/uidgid.h:63 [inline]\nkey_task_permission+0x394/0x410 security/keys/permission.c:54\nsearch_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793\nThis issue was also reported by syzbot.\nIt can be reproduced by following these steps(more details [1]):\n1. Obtain more than 32 inputs that have similar hashes, which ends with the\npattern '0xxxxxxxe6'.\n2. Reboot and add the keys obtained in step 1.\nThe reproducer demonstrates how this issue happened:\n1. In the search_nested_keyrings function, when it iterates through the\nslots in a node(below tag ascend_to_node), if the slot pointer is meta\nand node->back_pointer != NULL(it means a root), it will proceed to\ndescend_to_node. However, there is an exception. If node is the root,\nand one of the slots points to a shortcut, it will be treated as a\nkeyring.\n2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.\nHowever, KEYRING_PTR_SUBTYPE is 0x2UL, the same as\nASSOC_ARRAY_PTR_SUBTYPE_MASK.\n3. When 32 keys with the similar hashes are added to the tree, the ROOT\nhas keys with hashes that are not similar (e.g. slot 0) and it splits\nNODE A without using a shortcut. When NODE A is filled with keys that\nall hashes are xxe6, the keys are similar, NODE A will split with a\nshortcut. Finally, it forms the tree as shown below, where slot 6 points\nto a shortcut.\nNODE A\n+------>+---+\nROOT | | 0 | xxe6\n+---+ | +---+\nxxxx | 0 | shortcut : : xxe6\n+---+ | +---+\nxxe6 : : | | | xxe6\n+---+ | +---+\n| 6 |---+ : : xxe6\n+---+ +---+\nxxe6 : : | f | xxe6\n+---+ +---+\nxxe6 | f |\n+---+\n4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,\nit may be mistakenly transferred to a key*, leading to a read\nout-of-bounds read.\nTo fix this issue, one should jump to descend_to_node if the ptr is a\nshortcut, regardless of whether the node is root or not.\n[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/\n[jarkko: tweaked the commit message a bit to have an appropriate closes\ntag.]

See more information about CVE-2024-50301 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	7.1
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2025-20066	2025-01-27
Oracle Linux version 9 (kernel-uek)	ELSA-2025-20066	2025-01-27