cve/published/2024/CVE-2024-50223.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/numa: Fix the potential null pointer dereference in task_numa_work()\n\nWhen running stress-ng-vm-segv test, we found a null pointer dereference\nerror in task_numa_work(). Here is the backtrace:\n\n  [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n  ......\n  [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se\n  ......\n  [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)\n  [323676.067115] pc : vma_migratable+0x1c/0xd0\n  [323676.067122] lr : task_numa_work+0x1ec/0x4e0\n  [323676.067127] sp : ffff8000ada73d20\n  [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010\n  [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000\n  [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000\n  [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8\n  [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035\n  [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8\n  [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4\n  [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001\n  [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000\n  [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000\n  [323676.067152] Call trace:\n  [323676.067153]  vma_migratable+0x1c/0xd0\n  [323676.067155]  task_numa_work+0x1ec/0x4e0\n  [323676.067157]  task_work_run+0x78/0xd8\n  [323676.067161]  do_notify_resume+0x1ec/0x290\n  [323676.067163]  el0_svc+0x150/0x160\n  [323676.067167]  el0t_64_sync_handler+0xf8/0x128\n  [323676.067170]  el0t_64_sync+0x17c/0x180\n  [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)\n  [323676.067177] SMP: stopping secondary CPUs\n  [323676.070184] Starting crashdump kernel...\n\nstress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error\nhandling function of the system, which tries to cause a SIGSEGV error on\nreturn from unmapping the whole address space of the child process.\n\nNormally this program will not cause kernel crashes. But before the\nmunmap system call returns to user mode, a potential task_numa_work()\nfor numa balancing could be added and executed. In this scenario, since the\nchild process has no vma after munmap, the vma_next() in task_numa_work()\nwill return a null pointer even if the vma iterator restarts from 0.\n\nRecheck the vma pointer before dereferencing it in task_numa_work()."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "kernel/sched/fair.c"
                ],
                "versions": [
                   {
                      "version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
                      "lessThan": "ade91f6e9848b370add44d89c976e070ccb492ef",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
                      "lessThan": "c60d98ef7078fc3e22b48e98eae7a897d88494ee",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
                      "lessThan": "9c70b2a33cd2aa6a5a59c5523ef053bd42265209",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "kernel/sched/fair.c"
                ],
                "versions": [
                   {
                      "version": "6.3",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "6.3",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.6.60",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.11.7",
                      "lessThanOrEqual": "6.11.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.12",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.3",
                            "versionEndExcluding": "6.6.60"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.3",
                            "versionEndExcluding": "6.11.7"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.3",
                            "versionEndExcluding": "6.12"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/ade91f6e9848b370add44d89c976e070ccb492ef"
             },
             {
                "url": "https://git.kernel.org/stable/c/c60d98ef7078fc3e22b48e98eae7a897d88494ee"
             },
             {
                "url": "https://git.kernel.org/stable/c/9c70b2a33cd2aa6a5a59c5523ef053bd42265209"
             }
          ],
          "title": "sched/numa: Fix the potential null pointer dereference in task_numa_work()",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-50223",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/numa: Fix the potential null pointer dereference in task_numa_work()\n\nWhen running stress-ng-vm-segv test, we found a null pointer dereference\nerror in task_numa_work(). Here is the backtrace:\n\n [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ......\n [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se\n ......\n [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)\n [323676.067115] pc : vma_migratable+0x1c/0xd0\n [323676.067122] lr : task_numa_work+0x1ec/0x4e0\n [323676.067127] sp : ffff8000ada73d20\n [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010\n [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000\n [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000\n [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8\n [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035\n [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8\n [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4\n [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001\n [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000\n [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000\n [323676.067152] Call trace:\n [323676.067153] vma_migratable+0x1c/0xd0\n [323676.067155] task_numa_work+0x1ec/0x4e0\n [323676.067157] task_work_run+0x78/0xd8\n [323676.067161] do_notify_resume+0x1ec/0x290\n [323676.067163] el0_svc+0x150/0x160\n [323676.067167] el0t_64_sync_handler+0xf8/0x128\n [323676.067170] el0t_64_sync+0x17c/0x180\n [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)\n [323676.067177] SMP: stopping secondary CPUs\n [323676.070184] Starting crashdump kernel...\n\nstress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error\nhandling function of the system, which tries to cause a SIGSEGV error on\nreturn from unmapping the whole address space of the child process.\n\nNormally this program will not cause kernel crashes. But before the\nmunmap system call returns to user mode, a potential task_numa_work()\nfor numa balancing could be added and executed. In this scenario, since the\nchild process has no vma after munmap, the vma_next() in task_numa_work()\nwill return a null pointer even if the vma iterator restarts from 0.\n\nRecheck the vma pointer before dereferencing it in task_numa_work()."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"kernel/sched/fair.c"
	],
	"versions": [
	{
	"version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
	"lessThan": "ade91f6e9848b370add44d89c976e070ccb492ef",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
	"lessThan": "c60d98ef7078fc3e22b48e98eae7a897d88494ee",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "214dbc4281374cbbd833edd502d0ed1fd1b0e243",
	"lessThan": "9c70b2a33cd2aa6a5a59c5523ef053bd42265209",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"kernel/sched/fair.c"
	],
	"versions": [
	{
	"version": "6.3",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "6.3",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.6.60",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.11.7",
	"lessThanOrEqual": "6.11.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.12",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.3",
	"versionEndExcluding": "6.6.60"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.3",
	"versionEndExcluding": "6.11.7"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.3",
	"versionEndExcluding": "6.12"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/ade91f6e9848b370add44d89c976e070ccb492ef"
	},
	{
	"url": "https://git.kernel.org/stable/c/c60d98ef7078fc3e22b48e98eae7a897d88494ee"
	},
	{
	"url": "https://git.kernel.org/stable/c/9c70b2a33cd2aa6a5a59c5523ef053bd42265209"
	}
	],
	"title": "sched/numa: Fix the potential null pointer dereference in task_numa_work()",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-50223",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}