CVE-2024-38576 rcu: Fix buffer overflow in print_cpu_stall_info()

2024-06-1913:37:35

Linux

github.com

linux kernel

vulnerability

buffer overflow

printing

integer overflow

jiffies difference

debugging

snprintf

clarifying comment

linux verification center

AI Score

7.3

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

rcu: Fix buffer overflow in print_cpu_stall_info()

The rcuc-starvation output from print_cpu_stall_info() might overflow the
buffer if there is a huge difference in jiffies difference. The situation
might seem improbable, but computers sometimes get very confused about
time, which can result in full-sized integers, and, in this case,
buffer overflow.

Also, the unsigned jiffies difference is printed using %ld, which is
normally for signed integers. This is intentional for debugging purposes,
but it is not obvious from the code.

This commit therefore changes sprintf() to snprintf() and adds a
clarifying comment about intention of %ld format.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "245a62982502",
        "lessThan": "e2228ed3fe7a",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "245a62982502",
        "lessThan": "afb39909bfb5",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "245a62982502",
        "lessThan": "9351e1338539",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "245a62982502",
        "lessThan": "4c3e2ef4d8dd",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "245a62982502",
        "lessThan": "3758f7d9917b",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "kernel/rcu/tree_stall.h"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "6.0"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "6.0",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "6.1.93",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.33",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.8.12",
        "versionType": "custom",
        "lessThanOrEqual": "6.8.*"
      },
      {
        "status": "unaffected",
        "version": "6.9.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.9.*"
      },
      {
        "status": "unaffected",
        "version": "6.10",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "kernel/rcu/tree_stall.h"
    ],
    "defaultStatus": "affected"
  }
]