In the Linux kernel, the following vulnerability has been resolved:
fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super When
configuring a hugetlb filesystem via the fsconfig() syscall, there is a
possible NULL dereference in hugetlbfs_fill_super() caused by assigning
NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize
is non valid. E.g: Taking the following steps: fd = fsopen(“hugetlbfs”,
FSOPEN_CLOEXEC); fsconfig(fd, FSCONFIG_SET_STRING, “pagesize”, “1024”, 0);
fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); Given that the requested
“pagesize” is invalid, ctxt->hstate will be replaced with NULL, losing its
previous value, and we will print an error: … … case Opt_pagesize: ps =
memparse(param->string, &rest); ctx->hstate = h; if (!ctx->hstate) {
pr_err(“Unsupported page size %lu MB\n”, ps / SZ_1M); return -EINVAL; }
return 0; … … This is a problem because later on, we will dereference
ctxt->hstate in hugetlbfs_fill_super() … … sb->s_blocksize =
huge_page_size(ctx->hstate); … … Causing below Oops. Fix this by
replacing cxt->hstate value only when then pagesize is known to be valid.
kernel: hugetlbfs: Unsupported page size 0 MB kernel: BUG: kernel NULL
pointer dereference, address: 0000000000000028 kernel: #PF: supervisor read
access in kernel mode kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0
kernel: Oops: 0000 [#1] PREEMPT SMP PTI kernel: CPU: 4 PID: 5659 Comm:
syscall Tainted: G E 6.8.0-rc2-default+ #22
5a47c3fef76212addcc6eb71344aabc35190ae8f kernel: Hardware name: Intel Corp.
GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017
kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 kernel: Code: 48 8b 3b e8
3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff
ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0
49 89 44 24 18 48 8b 03 8b 40 28 kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS:
00010246 kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX:
0000000000372004 kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI:
ffff9af555e9b000 kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09:
0000000000370004 kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12:
ffff9af555e9b000 kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15:
ffff9af507d2f400 kernel: FS: 00007ffbc0ba4740(0000)
GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000
ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000028 CR3:
00000001b1ee0000 CR4: 00000000001506f0 kernel: Call Trace: kernel: <TASK>
kernel: ? __die_body+0x1a/0x60 kernel: ? page_fault_oops+0x16f/0x4a0
kernel: ? search_bpf_extables+0x65/0x70 kernel: ?
fixup_exception+0x22/0x310 kernel: ? exc_page_fault+0x69/0x150 kernel: ?
asm_exc_page_fault+0x22/0x30 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10
kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 kernel: ?
hugetlbfs_fill_super+0x28/0x1a0 kernel: ?
__pfx_hugetlbfs_fill_super+0x10/0x10 kernel: vfs_get_super+0x40/0xa0
kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 kernel: vfs_get_tree+0x25/0xd0
kernel: vfs_cmd_create+0x64/0xe0 kernel: __x64_sys_fsconfig+0x395/0x410
kernel: do_syscall_64+0x80/0x160 kernel: ?
syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160
kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ?
do_syscall_64+0x8d/0x160 kernel: ? exc_page_fault+0x69/0x150 kernel:
entry_SYSCALL_64_after_hwframe+0x6e/0x76 kernel: RIP: 0033:0x7ffbc0cb87c9
kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8
48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 kernel: RSP:
002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af kernel:
RAX: fffffffffff —truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-186.206 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1126.136 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < 5.4.0-1126.136~18.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1131.138 | UNKNOWN |
git.kernel.org/linus/79d72c68c58784a3e1cd2378669d51bfd0cb7498 (6.8-rc4)
git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274
git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557
git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff
git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9
git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498
git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773
git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39
launchpad.net/bugs/cve/CVE-2024-26688
nvd.nist.gov/vuln/detail/CVE-2024-26688
security-tracker.debian.org/tracker/CVE-2024-26688
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6831-1
www.cve.org/CVERecord?id=CVE-2024-26688