CVE-2024-43856

In the Linux kernel, the following vulnerability has been resolved: dma: fix call order in dmam_free_coherent dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list. If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match. Fix by destroying the devres entry before freeing the DMA allocation. kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130	Patch
https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e	Patch
https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7	Patch
https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20	Patch
https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9	Patch
https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954	Patch
https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb	Patch
https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

22 Aug 2024, 17:57

Type	Values Removed	Values Added
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-770
CPE		cpe:2.3:o:linux:linux_kernel::::::::
References	~~() https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130 -~~	() https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130 - Patch
References	~~() https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e -~~	() https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e - Patch
References	~~() https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7 -~~	() https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7 - Patch
References	~~() https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20 -~~	() https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20 - Patch
References	~~() https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9 -~~	() https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9 - Patch
References	~~() https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954 -~~	() https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954 - Patch
References	~~() https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb -~~	() https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb - Patch
References	~~() https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63 -~~	() https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63 - Patch

19 Aug 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: dma: corrige el orden de llamadas en dmam_free_coherent dmam_free_coherent() libera una asignación de DMA, lo que hace que el vaddr liberado esté disponible para su reutilización, luego llama a devres_destroy() para eliminar y liberar la estructura de datos utilizada para realizar un seguimiento de la asignación de DMA. Entre las dos llamadas, es posible que una tarea simultánea realice una asignación con el mismo vaddr y lo agregue a la lista de devres. Si esto sucede, habrá dos entradas en la lista devres con el mismo vaddr y devres_destroy() puede liberar la entrada incorrecta, activando WARN_ON() en dmam_match. Para solucionarlo, destruya la entrada devres antes de liberar la asignación de DMA. kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03

19 Aug 2024, 05:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7 - () https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9 - () https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954 - () https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63 -

17 Aug 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-17 10:15

Updated : 2024-08-22 17:57

NVD link : CVE-2024-43856

Mitre link : CVE-2024-43856

CVE.ORG link : CVE-2024-43856

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-43856", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-17T10:15:10.613", "references": [{"url": "https://git.kernel.org/stable/c/1fe97f68fce1ba24bf823bfb0eb0956003473130", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/22094f5f52e7bc16c5bf9613365049383650b02e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/257193083e8f43907e99ea633820fc2b3bcd24c7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/28e8b7406d3a1f5329a03aa25a43aa28e087cb20", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f7bbdc744f2e7051d1cb47c8e082162df1923c9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87b34c8c94e29fa01d744e5147697f592998d954", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f993a4baf6b622232e4c190d34c220179e5d61eb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe2d246080f035e0af5793cb79067ba125e4fb63", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: fix call order in dmam_free_coherent\n\ndmam_free_coherent() frees a DMA allocation, which makes the\nfreed vaddr available for reuse, then calls devres_destroy()\nto remove and free the data structure used to track the DMA\nallocation. Between the two calls, it is possible for a\nconcurrent task to make an allocation with the same vaddr\nand add it to the devres list.\n\nIf this happens, there will be two entries in the devres list\nwith the same vaddr and devres_destroy() can free the wrong\nentry, triggering the WARN_ON() in dmam_match.\n\nFix by destroying the devres entry before freeing the DMA\nallocation.\n\n kokonut //net/encryption\n http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: dma: corrige el orden de llamadas en dmam_free_coherent dmam_free_coherent() libera una asignaci\u00f3n de DMA, lo que hace que el vaddr liberado est\u00e9 disponible para su reutilizaci\u00f3n, luego llama a devres_destroy() para eliminar y liberar la estructura de datos utilizada para realizar un seguimiento de la asignaci\u00f3n de DMA. Entre las dos llamadas, es posible que una tarea simult\u00e1nea realice una asignaci\u00f3n con el mismo vaddr y lo agregue a la lista de devres. Si esto sucede, habr\u00e1 dos entradas en la lista devres con el mismo vaddr y devres_destroy() puede liberar la entrada incorrecta, activando WARN_ON() en dmam_match. Para solucionarlo, destruya la entrada devres antes de liberar la asignaci\u00f3n de DMA. kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03"}], "lastModified": "2024-08-22T17:57:08.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "482B11C0-6B3C-4F07-817D-E7E181A88878", "versionEndExcluding": "4.19.320", "versionStartIncluding": "2.6.21"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8961D98-9ACF-4188-BA88-44038B14BC28", "versionEndExcluding": "5.4.282", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CCEDF13-293D-4E64-B501-4409D0365AFE", "versionEndExcluding": "5.10.224", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4E2B568-3171-41DE-B519-F2B1A3600D94", "versionEndExcluding": "5.15.165", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E45EAC72-8329-4F99-8276-86AF9BB3496A", "versionEndExcluding": "6.1.103", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC912330-6B41-4C6B-99AF-F3857FBACB6A", "versionEndExcluding": "6.6.44", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92D388F2-1EAF-4CFA-AC06-5B26D762EA7D", "versionEndExcluding": "6.10.3", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

5.5 /10