cnvd - cnvd-2025-02555

cnvd-2025-02555

Vulnerability from cnvd

Title: Linux Kernel内存错误引用漏洞（CNVD-2025-02555）

Description:

Linux Kernel是一个开放源码的操作系统内核，它是操作系统的核心组件之一。

Linux Kernel存在内存错误引用漏洞。该漏洞产生的原因是VAS窗口在映射粘贴地址时，将VMA地址保存在VAS窗口结构中。攻击者可利用该漏洞进行拒绝服务攻击。

Severity: 中

Patch Name: Linux Kernel内存错误引用漏洞（CNVD-2025-02555）的补丁

Patch Description:

Linux Kernel是一个开放源码的操作系统内核，它是操作系统的核心组件之一。

Linux Kernel存在内存错误引用漏洞。该漏洞产生的原因是VAS窗口在映射粘贴地址时，将VMA地址保存在VAS窗口结构中。攻击者可利用该漏洞进行拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9

Reference: https://git.kernel.org/stable/c/05aa156e156ef3168e7ab8a68721945196495c17 https://git.kernel.org/stable/c/6d9cd27105459f169993a4c5f216499a946dbf34 https://git.kernel.org/stable/c/8b2282b5084521254a2cd9742a3f4e1d5b77f843 https://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9

Impacted products

Name
Linux linux_kernel >=5.18，<6.1.123

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-56765",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-56765"
    }
  },
  "description": "Linux Kernel\u662f\u4e00\u4e2a\u5f00\u653e\u6e90\u7801\u7684\u64cd\u4f5c\u7cfb\u7edf\u5185\u6838\uff0c\u5b83\u662f\u64cd\u4f5c\u7cfb\u7edf\u7684\u6838\u5fc3\u7ec4\u4ef6\u4e4b\u4e00\u3002\n\nLinux Kernel\u5b58\u5728\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u4ea7\u751f\u7684\u539f\u56e0\u662fVAS\u7a97\u53e3\u5728\u6620\u5c04\u7c98\u8d34\u5730\u5740\u65f6\uff0c\u5c06VMA\u5730\u5740\u4fdd\u5b58\u5728VAS\u7a97\u53e3\u7ed3\u6784\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-02555",
  "openTime": "2025-02-06",
  "patchDescription": "Linux Kernel\u662f\u4e00\u4e2a\u5f00\u653e\u6e90\u7801\u7684\u64cd\u4f5c\u7cfb\u7edf\u5185\u6838\uff0c\u5b83\u662f\u64cd\u4f5c\u7cfb\u7edf\u7684\u6838\u5fc3\u7ec4\u4ef6\u4e4b\u4e00\u3002\r\n\r\nLinux Kernel\u5b58\u5728\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u4ea7\u751f\u7684\u539f\u56e0\u662fVAS\u7a97\u53e3\u5728\u6620\u5c04\u7c98\u8d34\u5730\u5740\u65f6\uff0c\u5c06VMA\u5730\u5740\u4fdd\u5b58\u5728VAS\u7a97\u53e3\u7ed3\u6784\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Linux Kernel\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\uff08CNVD-2025-02555\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Linux linux_kernel \u003e=5.18\uff0c\u003c6.1.123"
  },
  "referenceLink": "https://git.kernel.org/stable/c/05aa156e156ef3168e7ab8a68721945196495c17\r\nhttps://git.kernel.org/stable/c/6d9cd27105459f169993a4c5f216499a946dbf34\r\nhttps://git.kernel.org/stable/c/8b2282b5084521254a2cd9742a3f4e1d5b77f843\r\nhttps://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9",
  "serverity": "\u4e2d",
  "submitTime": "2025-01-08",
  "title": "Linux Kernel\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\uff08CNVD-2025-02555\uff09"
}

CVE-2024-56765 (GCVE-0-2024-56765)

Vulnerability from cvelistv5

Published

2025-01-06 16:20

Modified

2025-05-04 10:04

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---

References

▼	URL	Tags
	https://git.kernel.org/stable/c/8b2282b5084521254a2cd9742a3f4e1d5b77f843
	https://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9
	https://git.kernel.org/stable/c/6d9cd27105459f169993a4c5f216499a946dbf34
	https://git.kernel.org/stable/c/05aa156e156ef3168e7ab8a68721945196495c17

Impacted products

Vendor

Product

Version

▼

Linux

Version: 37e6764895ef7431f45ff603a548549d409993d2
Version: 37e6764895ef7431f45ff603a548549d409993d2
Version: 37e6764895ef7431f45ff603a548549d409993d2
Version: 37e6764895ef7431f45ff603a548549d409993d2

Linux

Version: 5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56765",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T13:56:48.712913Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:04:27.747Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/platforms/book3s/vas-api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8b2282b5084521254a2cd9742a3f4e1d5b77f843",
              "status": "affected",
              "version": "37e6764895ef7431f45ff603a548549d409993d2",
              "versionType": "git"
            },
            {
              "lessThan": "b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9",
              "status": "affected",
              "version": "37e6764895ef7431f45ff603a548549d409993d2",
              "versionType": "git"
            },
            {
              "lessThan": "6d9cd27105459f169993a4c5f216499a946dbf34",
              "status": "affected",
              "version": "37e6764895ef7431f45ff603a548549d409993d2",
              "versionType": "git"
            },
            {
              "lessThan": "05aa156e156ef3168e7ab8a68721945196495c17",
              "status": "affected",
              "version": "37e6764895ef7431f45ff603a548549d409993d2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/platforms/book3s/vas-api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.123",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.69",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/vas: Add close() callback in vas_vm_ops struct\n\nThe mapping VMA address is saved in VAS window struct when the\npaste address is mapped. This VMA address is used during migration\nto unmap the paste address if the window is active. The paste\naddress mapping will be removed when the window is closed or with\nthe munmap(). But the VMA address in the VAS window is not updated\nwith munmap() which is causing invalid access during migration.\n\nThe KASAN report shows:\n[16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8\n[16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928\n\n[16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G    B              6.11.0-rc5-nxgzip #2\n[16386.255128] Tainted: [B]=BAD_PAGE\n[16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries\n[16386.255181] Call Trace:\n[16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable)\n[16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764\n[16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8\n[16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0\n[16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8\n[16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc\n[16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4\n...\n\n[16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s:\n[16386.256149]  kasan_save_stack+0x34/0x68\n[16386.256163]  kasan_save_track+0x34/0x80\n[16386.256175]  kasan_save_alloc_info+0x58/0x74\n[16386.256196]  __kasan_slab_alloc+0xb8/0xdc\n[16386.256209]  kmem_cache_alloc_noprof+0x200/0x3d0\n[16386.256225]  vm_area_alloc+0x44/0x150\n[16386.256245]  mmap_region+0x214/0x10c4\n[16386.256265]  do_mmap+0x5fc/0x750\n[16386.256277]  vm_mmap_pgoff+0x14c/0x24c\n[16386.256292]  ksys_mmap_pgoff+0x20c/0x348\n[16386.256303]  sys_mmap+0xd0/0x160\n...\n\n[16386.256350] Freed by task 0 on cpu 31 at 16386.204848s:\n[16386.256363]  kasan_save_stack+0x34/0x68\n[16386.256374]  kasan_save_track+0x34/0x80\n[16386.256384]  kasan_save_free_info+0x64/0x10c\n[16386.256396]  __kasan_slab_free+0x120/0x204\n[16386.256415]  kmem_cache_free+0x128/0x450\n[16386.256428]  vm_area_free_rcu_cb+0xa8/0xd8\n[16386.256441]  rcu_do_batch+0x2c8/0xcf0\n[16386.256458]  rcu_core+0x378/0x3c4\n[16386.256473]  handle_softirqs+0x20c/0x60c\n[16386.256495]  do_softirq_own_stack+0x6c/0x88\n[16386.256509]  do_softirq_own_stack+0x58/0x88\n[16386.256521]  __irq_exit_rcu+0x1a4/0x20c\n[16386.256533]  irq_exit+0x20/0x38\n[16386.256544]  interrupt_async_exit_prepare.constprop.0+0x18/0x2c\n...\n\n[16386.256717] Last potentially related work creation:\n[16386.256729]  kasan_save_stack+0x34/0x68\n[16386.256741]  __kasan_record_aux_stack+0xcc/0x12c\n[16386.256753]  __call_rcu_common.constprop.0+0x94/0xd04\n[16386.256766]  vm_area_free+0x28/0x3c\n[16386.256778]  remove_vma+0xf4/0x114\n[16386.256797]  do_vmi_align_munmap.constprop.0+0x684/0x870\n[16386.256811]  __vm_munmap+0xe0/0x1f8\n[16386.256821]  sys_munmap+0x54/0x6c\n[16386.256830]  system_call_exception+0x1a0/0x4a0\n[16386.256841]  system_call_vectored_common+0x15c/0x2ec\n\n[16386.256868] The buggy address belongs to the object at c00000014a819670\n                which belongs to the cache vm_area_struct of size 168\n[16386.256887] The buggy address is located 0 bytes inside of\n                freed 168-byte region [c00000014a819670, c00000014a819718)\n\n[16386.256915] The buggy address belongs to the physical page:\n[16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81\n[16386.256950] memcg:c0000000ba430001\n[16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff)\n[16386.256975] page_type: 0xfdffffff(slab)\n[16386\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:11.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8b2282b5084521254a2cd9742a3f4e1d5b77f843"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7f60ffdfd96f8fc826f1d61a1c6067d828e20b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d9cd27105459f169993a4c5f216499a946dbf34"
        },
        {
          "url": "https://git.kernel.org/stable/c/05aa156e156ef3168e7ab8a68721945196495c17"
        }
      ],
      "title": "powerpc/pseries/vas: Add close() callback in vas_vm_ops struct",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56765",
    "datePublished": "2025-01-06T16:20:43.966Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-05-04T10:04:11.913Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted