CVE-2024-50227

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() KASAN reported following issue: BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt] Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Call Trace: <TASK> dump_stack_lvl+0x6c/0x90 print_report+0xd1/0x630 kasan_report+0xdb/0x110 __asan_report_load4_noabort+0x14/0x20 tb_retimer_scan+0xffe/0x1550 [thunderbolt] tb_scan_port+0xa6f/0x2060 [thunderbolt] tb_handle_hotplug+0x17b1/0x3080 [thunderbolt] process_one_work+0x626/0x1100 worker_thread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 ret_from_fork+0x3a/0x80 ret_from_fork_asm+0x1a/0x30 This happens because the loop variable still gets incremented by one so max becomes 3 instead of 2, and this makes the second loop read past the the array declared on the stack. Fix this by assigning to max directly in the loop body.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*

History

13 Nov 2024, 18:39

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d - () https://git.kernel.org/stable/c/08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d - Patch
References () https://git.kernel.org/stable/c/e9e1b20fae7de06ba36dd3f8dba858157bad233d - () https://git.kernel.org/stable/c/e9e1b20fae7de06ba36dd3f8dba858157bad233d - Patch
CWE CWE-125
First Time Linux linux Kernel
Linux

12 Nov 2024, 13:56

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: thunderbolt: Se corrige la lectura fuera de los límites de pila informada por KASAN en tb_retimer_scan() KASAN informó el siguiente problema: ERROR: KASAN: pila fuera de los límites en tb_retimer_scan+0xffe/0x1550 [thunderbolt] Lectura de tamaño 4 en la dirección ffff88810111fc1c por la tarea kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: GU 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Rastreo de llamadas: dump_stack_lvl+0x6c/0x90 print_report+0xd1/0x630 kasan_report+0xdb/0x110 __asan_report_load4_noabort+0x14/0x20 tb_retimer_scan+0xffe/0x1550 [thunderbolt] tb_scan_port+0xa6f/0x2060 [thunderbolt] tb_handle_hotplug+0x17b1/0x3080 [thunderbolt] process_one_work+0x626/0x1100 worker_thread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 ret_from_fork+0x3a/0x80 ret_from_fork_asm+0x1a/0x30 Esto sucede porque la variable de bucle todavía se incrementa en uno, por lo que max se convierte en 3 en lugar de 2, y esto hace que el segundo bucle lea más allá de la matriz declarada en la pila. Solucione este problema asignando a max directamente en el cuerpo del bucle.

09 Nov 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-09 11:15

Updated : 2024-11-13 18:39


NVD link : CVE-2024-50227

Mitre link : CVE-2024-50227

CVE.ORG link : CVE-2024-50227


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read