| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name\n\nIt's observed that a crash occurs during hot-remove a memory device,\nin which user is accessing the hugetlb. See calltrace as following:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790\nModules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s\nmirror dm_region_hash dm_log dm_mod\nCPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:do_user_addr_fault+0x2a0/0x790\nCode: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41\nRSP: 0000:ffffc90000a575f0 EFLAGS: 00010046\nRAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658\nR13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000\nFS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? __warn+0x8d/0x190\n ? do_user_addr_fault+0x2a0/0x790\n ? report_bug+0x1c3/0x1d0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? do_user_addr_fault+0x2a0/0x790\n ? exc_page_fault+0x31/0x200\n exc_page_fault+0x68/0x200\n<...snip...>\nBUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n ---[ end trace 0000000000000000 ]---\n BUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:dentry_name+0x1f4/0x440\n<...snip...>\n? dentry_name+0x2fa/0x440\nvsnprintf+0x1f3/0x4f0\nvprintk_store+0x23a/0x540\nvprintk_emit+0x6d/0x330\n_printk+0x58/0x80\ndump_mapping+0x10b/0x1a0\n? __pfx_free_object_rcu+0x10/0x10\n__dump_page+0x26b/0x3e0\n? vprintk_emit+0xe0/0x330\n? _printk+0x58/0x80\n? dump_page+0x17/0x50\ndump_page+0x17/0x50\ndo_migrate_range+0x2f7/0x7f0\n? do_migrate_range+0x42/0x7f0\n? offline_pages+0x2f4/0x8c0\noffline_pages+0x60a/0x8c0\nmemory_subsys_offline+0x9f/0x1c0\n? lockdep_hardirqs_on+0x77/0x100\n? _raw_spin_unlock_irqrestore+0x38/0x60\ndevice_offline+0xe3/0x110\nstate_store+0x6e/0xc0\nkernfs_fop_write_iter+0x143/0x200\nvfs_write+0x39f/0x560\nksys_write+0x65/0xf0\ndo_syscall_64+0x62/0x130\n\nPreviously, some sanity check have been done in dump_mapping() before\nthe print facility parsing '%pd' though, it's still possible to run into\nan invalid dentry.d_name.name.\n\nSince dump_mapping() only needs to dump the filename only, retrieve it\nby itself in a safer way to prevent an unnecessary crash.\n\nNote that either retrieving the filename with '%pd' or\nstrncpy_from_kernel_nofault(), the filename could be unreliable." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/inode.c" |
| ], |
| "versions": [ |
| { |
| "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", |
| "lessThan": "1a4159138e718db6199f0abf376ad52f726dcc5c", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", |
| "lessThan": "e0f6ee75f50476607ca82fc7c3711c795ce09b52", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", |
| "lessThan": "f92b8829c6e75632de4e2b9f70e7a7e6c5c2ba98", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", |
| "lessThan": "ef921bc72328b577cb45772ff7921cba4773b74a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", |
| "lessThan": "7f7b850689ac06a62befe26e1fd1806799e7f152", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/inode.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.1.120", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.64", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.10.14", |
| "lessThanOrEqual": "6.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.11.3", |
| "lessThanOrEqual": "6.11.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionEndExcluding": "6.1.120" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionEndExcluding": "6.6.64" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionEndExcluding": "6.10.14" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionEndExcluding": "6.11.3" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionEndExcluding": "6.12" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/1a4159138e718db6199f0abf376ad52f726dcc5c" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e0f6ee75f50476607ca82fc7c3711c795ce09b52" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f92b8829c6e75632de4e2b9f70e7a7e6c5c2ba98" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/ef921bc72328b577cb45772ff7921cba4773b74a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/7f7b850689ac06a62befe26e1fd1806799e7f152" |
| } |
| ], |
| "title": "fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-49934", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
