CVE-2024-56368 Information

Jan 12, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

ring-buffer: Fix overflow in __rb_map_vma

An overflow occurred when performing the following calculation:

nr_pages = ((nr_subbufs + 1) « subbuf_order) - pgoff;

Add a check before the calculation to avoid this problem.

syzbot reported this as a slab-out-of-bounds in __rb_map_vma:

BUG: KASAN: slab-out-of-bounds in __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 Read of size 8 at addr ffff8880767dd2b8 by task syz-executor187/5836

CPU: 0 UID: 0 PID: 5836 Comm: syz-executor187 Not tainted 6.13.0-rc2-syzkaller-00159-gf932fb9b4074 0 Hardware name: Google Google Compute Engine/Google Compute Engine BIOS Google 11/25/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 __rb_map_vma+0x9ab/0xae0 kernel/trace/ring_buffer.c:7058 ring_buffer_map+0x56e/0x9b0 kernel/trace/ring_buffer.c:7138 tracing_buffers_mmap+0xa6/0x120 kernel/trace/trace.c:8482 call_mmap include/linux/fs.h:2183 [inline] mmap_file mm/internal.h:124 [inline] __mmap_new_file_vma mm/vma.c:2291 [inline] __mmap_new_vma mm/vma.c:2355 [inline] __mmap_region+0x1786/0x2670 mm/vma.c:2456 mmap_region+0x127/0x320 mm/mmap.c:1348 do_mmap+0xc00/0xfc0 mm/mmap.c:496 vm_mmap_pgoff+0x1ba/0x360 mm/util.c:580 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The reproducer for this bug is:

————————8<————————- include <fcntl.h> include <stdlib.h> include <unistd.h> include <asm/types.h> include <sys/mman.h>

int main(int argc char argv)

int page_size = getpagesize();
int fd;
void meta;

system(cho 1 > /sys/kernel/tracing/buffer_size_kb\);
fd = open(\/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw\ O_RDONLY);

meta = mmap(NULL page_size PROT_READ MAP_SHARED fd page_size  5);

————————>8————————-

Reference

https://git.kernel.org/stable/c/c58a812c8e49ad688f94f4b050ad5c5b388fc5d2 https://git.kernel.org/stable/c/ec12f30fe54234dd40ffee50dda8d2df10bd0871

Share on: