CVE-2024-46785 (GCVE-0-2024-46785)
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2025-05-04 12:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo "p:kp submit_bio" > /sys/kernel/debug/tracing/kprobe_events echo "" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: 5dfb04100326f70e3b2d2872c2476ed20b804837
Version: 43aa6f97c2d03a52c1ddb86768575fc84344bdbb
Version: 43aa6f97c2d03a52c1ddb86768575fc84344bdbb
Version: 5a43badefe0eccca0c26144c0a44b8d417ce8103
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46785",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:29:25.757655Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T14:29:40.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "05e08297c3c298d8ec28e5a5adb55840312dd87e",
              "status": "affected",
              "version": "5dfb04100326f70e3b2d2872c2476ed20b804837",
              "versionType": "git"
            },
            {
              "lessThan": "f579d17a86448779f9642ad8baca6e3036a8e2d6",
              "status": "affected",
              "version": "43aa6f97c2d03a52c1ddb86768575fc84344bdbb",
              "versionType": "git"
            },
            {
              "lessThan": "d2603279c7d645bf0d11fa253b23f1ab48fc8d3c",
              "status": "affected",
              "version": "43aa6f97c2d03a52c1ddb86768575fc84344bdbb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5a43badefe0eccca0c26144c0a44b8d417ce8103",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventfs: Use list_del_rcu() for SRCU protected list variable\n\nChi Zhiling reported:\n\n  We found a null pointer accessing in tracefs[1], the reason is that the\n  variable \u0027ei_child\u0027 is set to LIST_POISON1, that means the list was\n  removed in eventfs_remove_rec. so when access the ei_child-\u003eis_freed, the\n  panic triggered.\n\n  by the way, the following script can reproduce this panic\n\n  loop1 (){\n      while true\n      do\n          echo \"p:kp submit_bio\" \u003e /sys/kernel/debug/tracing/kprobe_events\n          echo \"\" \u003e /sys/kernel/debug/tracing/kprobe_events\n      done\n  }\n  loop2 (){\n      while true\n      do\n          tree /sys/kernel/debug/tracing/events/kprobes/\n      done\n  }\n  loop1 \u0026\n  loop2\n\n  [1]:\n  [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150\n  [ 1147.968239][T17331] Mem abort info:\n  [ 1147.971739][T17331]   ESR = 0x0000000096000004\n  [ 1147.976172][T17331]   EC = 0x25: DABT (current EL), IL = 32 bits\n  [ 1147.982171][T17331]   SET = 0, FnV = 0\n  [ 1147.985906][T17331]   EA = 0, S1PTW = 0\n  [ 1147.989734][T17331]   FSC = 0x04: level 0 translation fault\n  [ 1147.995292][T17331] Data abort info:\n  [ 1147.998858][T17331]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  [ 1148.005023][T17331]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  [ 1148.010759][T17331]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n  [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges\n  [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP\n  [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls]\n  [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G        W         ------- ----  6.6.43 #2\n  [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650\n  [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020\n  [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398\n  [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398\n  [ 1148.115969][T17331] sp : ffff80008d56bbd0\n  [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000\n  [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100\n  [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10\n  [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000\n  [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0\n  [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n  [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0\n  [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862\n  [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068\n  [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001\n  [ 1148.198131][T17331] Call trace:\n  [ 1148.201259][T17331]  eventfs_iterate+0x2c0/0x398\n  [ 1148.205864][T17331]  iterate_dir+0x98/0x188\n  [ 1148.210036][T17331]  __arm64_sys_getdents64+0x78/0x160\n  [ 1148.215161][T17331]  invoke_syscall+0x78/0x108\n  [ 1148.219593][T17331]  el0_svc_common.constprop.0+0x48/0xf0\n  [ 1148.224977][T17331]  do_el0_svc+0x24/0x38\n  [ 1148.228974][T17331]  el0_svc+0x40/0x168\n  [ 1148.232798][T17\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:41.812Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/05e08297c3c298d8ec28e5a5adb55840312dd87e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f579d17a86448779f9642ad8baca6e3036a8e2d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2603279c7d645bf0d11fa253b23f1ab48fc8d3c"
        }
      ],
      "title": "eventfs: Use list_del_rcu() for SRCU protected list variable",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46785",
    "datePublished": "2024-09-18T07:12:41.529Z",
    "dateReserved": "2024-09-11T15:12:18.277Z",
    "dateUpdated": "2025-05-04T12:58:41.812Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46785\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-18T08:15:05.730\",\"lastModified\":\"2024-11-20T15:51:33.027\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\neventfs: Use list_del_rcu() for SRCU protected list variable\\n\\nChi Zhiling reported:\\n\\n  We found a null pointer accessing in tracefs[1], the reason is that the\\n  variable \u0027ei_child\u0027 is set to LIST_POISON1, that means the list was\\n  removed in eventfs_remove_rec. so when access the ei_child-\u003eis_freed, the\\n  panic triggered.\\n\\n  by the way, the following script can reproduce this panic\\n\\n  loop1 (){\\n      while true\\n      do\\n          echo \\\"p:kp submit_bio\\\" \u003e /sys/kernel/debug/tracing/kprobe_events\\n          echo \\\"\\\" \u003e /sys/kernel/debug/tracing/kprobe_events\\n      done\\n  }\\n  loop2 (){\\n      while true\\n      do\\n          tree /sys/kernel/debug/tracing/events/kprobes/\\n      done\\n  }\\n  loop1 \u0026\\n  loop2\\n\\n  [1]:\\n  [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150\\n  [ 1147.968239][T17331] Mem abort info:\\n  [ 1147.971739][T17331]   ESR = 0x0000000096000004\\n  [ 1147.976172][T17331]   EC = 0x25: DABT (current EL), IL = 32 bits\\n  [ 1147.982171][T17331]   SET = 0, FnV = 0\\n  [ 1147.985906][T17331]   EA = 0, S1PTW = 0\\n  [ 1147.989734][T17331]   FSC = 0x04: level 0 translation fault\\n  [ 1147.995292][T17331] Data abort info:\\n  [ 1147.998858][T17331]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n  [ 1148.005023][T17331]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n  [ 1148.010759][T17331]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n  [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges\\n  [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP\\n  [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls]\\n  [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G        W         ------- ----  6.6.43 #2\\n  [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650\\n  [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020\\n  [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n  [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398\\n  [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398\\n  [ 1148.115969][T17331] sp : ffff80008d56bbd0\\n  [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000\\n  [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100\\n  [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10\\n  [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000\\n  [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0\\n  [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\\n  [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0\\n  [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862\\n  [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068\\n  [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001\\n  [ 1148.198131][T17331] Call trace:\\n  [ 1148.201259][T17331]  eventfs_iterate+0x2c0/0x398\\n  [ 1148.205864][T17331]  iterate_dir+0x98/0x188\\n  [ 1148.210036][T17331]  __arm64_sys_getdents64+0x78/0x160\\n  [ 1148.215161][T17331]  invoke_syscall+0x78/0x108\\n  [ 1148.219593][T17331]  el0_svc_common.constprop.0+0x48/0xf0\\n  [ 1148.224977][T17331]  do_el0_svc+0x24/0x38\\n  [ 1148.228974][T17331]  el0_svc+0x40/0x168\\n  [ 1148.232798][T17\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: eventfs: Uso list_del_rcu() para la variable de lista protegida SRCU Chi Zhiling inform\u00f3: Encontramos un puntero nulo accediendo en tracefs[1], la raz\u00f3n es que la variable \u0027ei_child\u0027 est\u00e1 configurada en LIST_POISON1, lo que significa que la lista se elimin\u00f3 en eventfs_remove_rec. entonces, cuando se accede a ei_child-\u0026gt;is_freed, se activa el p\u00e1nico. por cierto, el siguiente script puede reproducir este bucle de p\u00e1nico loop1 (){ while true do echo \\\"p:kp submission_bio\\\" \u0026gt; /sys/kernel/debug/tracing/kprobe_events echo \\\"\\\" \u0026gt; /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 \u0026amp; loop2 [1]: [ 1147.959632][T17331] No se puede manejar la solicitud de paginaci\u00f3n del n\u00facleo en la direcci\u00f3n virtual dead000000000150 [ 1147.968239][T17331] Informaci\u00f3n de aborto de memoria: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (EL actual), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: error de traducci\u00f3n de nivel 0 [ 1147.995292][T17331] Informaci\u00f3n de cancelaci\u00f3n de datos: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] direcci\u00f3n entre los rangos de direcciones del usuario y del n\u00facleo [ 1148.024571][T17331] Error interno: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] M\u00f3dulos vinculados en: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls puente ib_core de macvlan dummy stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [\u00faltima descarga: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Contaminado: GW ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Versi\u00f3n de origen: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Nombre del hardware: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 16/07/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: muerto000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 0000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 000000000000000 [ 1148.151231][T17331] x17: 000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 000000000000000 x10: 000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 000000018000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 00000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Rastreo de llamadas: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterar_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invocar_llamada_al_sistema+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] hacer_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.18\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"7476B2E8-446E-44CC-913C-1FB416620536\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7.6\",\"versionEndExcluding\":\"6.8\",\"matchCriteriaId\":\"9048C5C2-5073-4D52-BC14-154912BA5D82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"4FAFFECB-D55B-4130-801C-AE52B8A6B1BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/05e08297c3c298d8ec28e5a5adb55840312dd87e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d2603279c7d645bf0d11fa253b23f1ab48fc8d3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f579d17a86448779f9642ad8baca6e3036a8e2d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-46785\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-29T14:29:25.757655Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-29T14:29:29.911Z\"}}], \"cna\": {\"title\": \"eventfs: Use list_del_rcu() for SRCU protected list variable\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5dfb04100326f70e3b2d2872c2476ed20b804837\", \"lessThan\": \"05e08297c3c298d8ec28e5a5adb55840312dd87e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"43aa6f97c2d03a52c1ddb86768575fc84344bdbb\", \"lessThan\": \"f579d17a86448779f9642ad8baca6e3036a8e2d6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"43aa6f97c2d03a52c1ddb86768575fc84344bdbb\", \"lessThan\": \"d2603279c7d645bf0d11fa253b23f1ab48fc8d3c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"5a43badefe0eccca0c26144c0a44b8d417ce8103\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/tracefs/event_inode.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.51\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/tracefs/event_inode.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/05e08297c3c298d8ec28e5a5adb55840312dd87e\"}, {\"url\": \"https://git.kernel.org/stable/c/f579d17a86448779f9642ad8baca6e3036a8e2d6\"}, {\"url\": \"https://git.kernel.org/stable/c/d2603279c7d645bf0d11fa253b23f1ab48fc8d3c\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\neventfs: Use list_del_rcu() for SRCU protected list variable\\n\\nChi Zhiling reported:\\n\\n  We found a null pointer accessing in tracefs[1], the reason is that the\\n  variable \u0027ei_child\u0027 is set to LIST_POISON1, that means the list was\\n  removed in eventfs_remove_rec. so when access the ei_child-\u003eis_freed, the\\n  panic triggered.\\n\\n  by the way, the following script can reproduce this panic\\n\\n  loop1 (){\\n      while true\\n      do\\n          echo \\\"p:kp submit_bio\\\" \u003e /sys/kernel/debug/tracing/kprobe_events\\n          echo \\\"\\\" \u003e /sys/kernel/debug/tracing/kprobe_events\\n      done\\n  }\\n  loop2 (){\\n      while true\\n      do\\n          tree /sys/kernel/debug/tracing/events/kprobes/\\n      done\\n  }\\n  loop1 \u0026\\n  loop2\\n\\n  [1]:\\n  [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150\\n  [ 1147.968239][T17331] Mem abort info:\\n  [ 1147.971739][T17331]   ESR = 0x0000000096000004\\n  [ 1147.976172][T17331]   EC = 0x25: DABT (current EL), IL = 32 bits\\n  [ 1147.982171][T17331]   SET = 0, FnV = 0\\n  [ 1147.985906][T17331]   EA = 0, S1PTW = 0\\n  [ 1147.989734][T17331]   FSC = 0x04: level 0 translation fault\\n  [ 1147.995292][T17331] Data abort info:\\n  [ 1147.998858][T17331]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n  [ 1148.005023][T17331]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n  [ 1148.010759][T17331]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n  [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges\\n  [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP\\n  [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls]\\n  [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G        W         ------- ----  6.6.43 #2\\n  [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650\\n  [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020\\n  [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n  [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398\\n  [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398\\n  [ 1148.115969][T17331] sp : ffff80008d56bbd0\\n  [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000\\n  [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100\\n  [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10\\n  [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000\\n  [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0\\n  [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\\n  [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0\\n  [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862\\n  [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068\\n  [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001\\n  [ 1148.198131][T17331] Call trace:\\n  [ 1148.201259][T17331]  eventfs_iterate+0x2c0/0x398\\n  [ 1148.205864][T17331]  iterate_dir+0x98/0x188\\n  [ 1148.210036][T17331]  __arm64_sys_getdents64+0x78/0x160\\n  [ 1148.215161][T17331]  invoke_syscall+0x78/0x108\\n  [ 1148.219593][T17331]  el0_svc_common.constprop.0+0x48/0xf0\\n  [ 1148.224977][T17331]  do_el0_svc+0x24/0x38\\n  [ 1148.228974][T17331]  el0_svc+0x40/0x168\\n  [ 1148.232798][T17\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.51\", \"versionStartIncluding\": \"6.6.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.10\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.7.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:58:41.812Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-46785\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:58:41.812Z\", \"dateReserved\": \"2024-09-11T15:12:18.277Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-18T07:12:41.529Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.