CVE-2024-36892

{"id": "CVE-2024-36892", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-30T16:15:12.680", "references": [{"url": "https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/56900355485f6e82114b18c812edd57fd7970dcb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8f828aa48812ced28aa39cb3cfe55ef2444d03dd", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid zeroing outside-object freepointer for single free\n\nCommit 284f17ac13fe (\"mm/slub: handle bulk and single object freeing\nseparately\") splits single and bulk object freeing in two functions\nslab_free() and slab_free_bulk() which leads slab_free() to call\nslab_free_hook() directly instead of slab_free_freelist_hook().\n\nIf `init_on_free` is set, slab_free_hook() zeroes the object.\nAfterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are\nset, the do_slab_free() slowpath executes freelist consistency\nchecks and try to decode a zeroed freepointer which leads to a\n\"Freepointer corrupt\" detection in check_object().\n\nDuring bulk free, slab_free_freelist_hook() isn't affected as it always\nsets it objects freepointer using set_freepointer() to maintain its\nreconstructed freelist after `init_on_free`.\n\nFor single free, object's freepointer thus needs to be avoided when\nstored outside the object if `init_on_free` is set. The freepointer left\nas is, check_object() may later detect an invalid pointer value due to\nobjects overflow.\n\nTo reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the\ncommand line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`.\n\ndmesg sample log:\n[ 10.708715] =============================================================================\n[ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: G B T ): Freepointer corrupt\n[ 10.712695] -----------------------------------------------------------------------------\n[ 10.712695]\n[ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2)\n[ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c\n[ 10.716698]\n[ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.724696] Padding ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n[ 10.724696] Padding ffff9d9a8035667c: 00 00 00 00 ....\n[ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/slub: evita poner a cero el puntero libre de objetos externos para un solo commit libre 284f17ac13fe (\"mm/slub: maneja la liberaci\u00f3n masiva y de objetos individuales por separado\") divide la liberaci\u00f3n de objetos \u00fanicos y masivos en dos funciones slab_free() y slab_free_bulk() lo que lleva a slab_free() a llamar a slab_free_hook() directamente en lugar de slab_free_freelist_hook(). Si se establece `init_on_free`, slab_free_hook() pone a cero el objeto. Luego, si se configuran `slub_debug=F` y `CONFIG_SLAB_FREELIST_HARDENED`, la ruta lenta do_slab_free() ejecuta comprobaciones de coherencia de la lista libre e intenta decodificar un freepointer puesto a cero, lo que conduce a una detecci\u00f3n de \"Freepointer corrupto\" en check_object(). Durante la liberaci\u00f3n masiva, slab_free_freelist_hook() no se ve afectado ya que siempre establece el puntero libre de sus objetos usando set_freepointer() para mantener su lista libre reconstruida despu\u00e9s de `init_on_free`. Para un solo libre, el puntero libre del objeto debe evitarse cuando se almacena fuera del objeto si est\u00e1 configurado \"init_on_free\". El puntero libre se deja como est\u00e1, check_object() puede detectar m\u00e1s adelante un valor de puntero no v\u00e1lido debido a un desbordamiento de objetos. Para reproducir, configure `slub_debug=FU init_on_free=1 log_level=7` en la l\u00ednea de comando de una compilaci\u00f3n del kernel con `CONFIG_SLAB_FREELIST_HARDENED=y`. Registro de muestra de dmesg: [10.708715] ============================================ ================================== [10.710323] ERROR kmalloc-rnd-05-32 (Contaminado: GBT) : Freepointer corrupto [10.712695] -------------------------------------------- --------------------------------- [ 10.712695] [ 10.712695] Losa 0xffffd8bdc400d580 objetos=32 usados=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Objeto 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.720703] Objeto ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [ 10.720703] Objeto ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Relleno ffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 10.724696] Relleno ffff9d9a8035667c: 00 00 00 00 .... [ 10.724696 ] FIX kmalloc-rnd-05-32: Objeto en 0xffff9d9a80356600 no liberado"}], "lastModified": "2025-09-18T14:46:34.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0D3E543-9D44-48EC-AEFE-B1F1DE163D83", "versionEndExcluding": "6.8.10", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F850DCEC-E08B-4317-A33B-D2DCF39F601B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91326417-E981-482E-A5A3-28BC1327521B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAECDCD8-F556-4606-8D7B-5C6D47A501F2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}