CVE-2024-39277 dma-mapping: benchmark: handle NUMA_NO_NODE correctly

2024-06-2111:15:13

Linux

www.cve.org

linux kernel

vulnerability

cve-2024-39277

dma-mapping

benchmark

numa_no_node

cpumask_of_node

sanitizer report

ubsan

array index out of bounds

qemu standard pc

kernel thread

kernel security

0.0004 Low

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

dma-mapping: benchmark: handle NUMA_NO_NODE correctly

cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()
resulting in the following sanitizer report:

UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28
index -1 is out of range for type ‘cpumask [64][1]’
CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117)
ubsan_epilogue (lib/ubsan.c:232)
__ubsan_handle_out_of_bounds (lib/ubsan.c:429)
cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]
do_map_benchmark (kernel/dma/map_benchmark.c:104)
map_benchmark_ioctl (kernel/dma/map_benchmark.c:246)
full_proxy_unlocked_ioctl (fs/debugfs/file.c:333)
__x64_sys_ioctl (fs/ioctl.c:890)
do_syscall_64 (arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Use cpumask_of_node() in place when binding a kernel thread to a cpuset
of a particular node.

Note that the provided node id is checked inside map_benchmark_ioctl().
It’s just a NUMA_NO_NODE case which is not handled properly later.

Found by Linux Verification Center (linuxtesting.org).

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "kernel/dma/map_benchmark.c"
    ],
    "versions": [
      {
        "version": "65789daa8087",
        "lessThan": "b41b0018e8ca",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "65789daa8087",
        "lessThan": "8e1ba9df9a35",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "65789daa8087",
        "lessThan": "5a91116b0031",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "65789daa8087",
        "lessThan": "50ee21bfc005",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "65789daa8087",
        "lessThan": "e64746e74f71",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "kernel/dma/map_benchmark.c"
    ],
    "versions": [
      {
        "version": "5.11",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.11",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.161",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.93",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.33",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.4",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10-rc2",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]