CVE-2024-46847 (GCVE-0-2024-46847)
Vulnerability from cvelistv5
Published
2024-09-27 12:39
Modified
2025-05-04 12:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.
References
Impacted products
Vendor Product Version
Linux Linux Version: 88e0ad40d08a73a74c597e69f4cd2d1fba3838b5
Version: 8c61291fd8500e3b35c7ec0c781b273d8cc96cde
Version: 8c61291fd8500e3b35c7ec0c781b273d8cc96cde
Version: 9983b81579be3403f5cc44b11f66c6c8bea6547f
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T13:58:55.254929Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-29T13:58:59.658Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/vmalloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b2770e27d6d952f491bb362b657e5b2713c3efd",
              "status": "affected",
              "version": "88e0ad40d08a73a74c597e69f4cd2d1fba3838b5",
              "versionType": "git"
            },
            {
              "lessThan": "6cf74e0e5e3ab5d5c9defb4c73dad54d52224671",
              "status": "affected",
              "version": "8c61291fd8500e3b35c7ec0c781b273d8cc96cde",
              "versionType": "git"
            },
            {
              "lessThan": "3e3de7947c751509027d26b679ecd243bc9db255",
              "status": "affected",
              "version": "8c61291fd8500e3b35c7ec0c781b273d8cc96cde",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9983b81579be3403f5cc44b11f66c6c8bea6547f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/vmalloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.51",
                  "versionStartIncluding": "6.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.9.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmalloc: ensure vmap_block is initialised before adding to queue\n\nCommit 8c61291fd850 (\"mm: fix incorrect vbq reference in\npurge_fragmented_block\") extended the \u0027vmap_block\u0027 structure to contain a\n\u0027cpu\u0027 field which is set at allocation time to the id of the initialising\nCPU.\n\nWhen a new \u0027vmap_block\u0027 is being instantiated by new_vmap_block(), the\npartially initialised structure is added to the local \u0027vmap_block_queue\u0027\nxarray before the \u0027cpu\u0027 field has been initialised.  If another CPU is\nconcurrently walking the xarray (e.g.  via vm_unmap_aliases()), then it\nmay perform an out-of-bounds access to the remote queue thanks to an\nuninitialised index.\n\nThis has been observed as UBSAN errors in Android:\n\n | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\n |\n | Call trace:\n |  purge_fragmented_block+0x204/0x21c\n |  _vm_unmap_aliases+0x170/0x378\n |  vm_unmap_aliases+0x1c/0x28\n |  change_memory_common+0x1dc/0x26c\n |  set_memory_ro+0x18/0x24\n |  module_enable_ro+0x98/0x238\n |  do_init_module+0x1b0/0x310\n\nMove the initialisation of \u0027vb-\u003ecpu\u0027 in new_vmap_block() ahead of the\naddition to the xarray."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:58:45.259Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255"
        }
      ],
      "title": "mm: vmalloc: ensure vmap_block is initialised before adding to queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46847",
    "datePublished": "2024-09-27T12:39:39.550Z",
    "dateReserved": "2024-09-11T15:12:18.290Z",
    "dateUpdated": "2025-05-04T12:58:45.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46847\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-27T13:15:16.570\",\"lastModified\":\"2024-10-02T14:16:08.180\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: vmalloc: ensure vmap_block is initialised before adding to queue\\n\\nCommit 8c61291fd850 (\\\"mm: fix incorrect vbq reference in\\npurge_fragmented_block\\\") extended the \u0027vmap_block\u0027 structure to contain a\\n\u0027cpu\u0027 field which is set at allocation time to the id of the initialising\\nCPU.\\n\\nWhen a new \u0027vmap_block\u0027 is being instantiated by new_vmap_block(), the\\npartially initialised structure is added to the local \u0027vmap_block_queue\u0027\\nxarray before the \u0027cpu\u0027 field has been initialised.  If another CPU is\\nconcurrently walking the xarray (e.g.  via vm_unmap_aliases()), then it\\nmay perform an out-of-bounds access to the remote queue thanks to an\\nuninitialised index.\\n\\nThis has been observed as UBSAN errors in Android:\\n\\n | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\\n |\\n | Call trace:\\n |  purge_fragmented_block+0x204/0x21c\\n |  _vm_unmap_aliases+0x170/0x378\\n |  vm_unmap_aliases+0x1c/0x28\\n |  change_memory_common+0x1dc/0x26c\\n |  set_memory_ro+0x18/0x24\\n |  module_enable_ro+0x98/0x238\\n |  do_init_module+0x1b0/0x310\\n\\nMove the initialisation of \u0027vb-\u003ecpu\u0027 in new_vmap_block() ahead of the\\naddition to the xarray.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: vmalloc: garantizar que vmap_block se inicialice antes de agregarlo a la cola. El commit 8c61291fd850 (\\\"mm: corregir referencia vbq incorrecta en purge_fragmented_block\\\") extendi\u00f3 la estructura \u0027vmap_block\u0027 para que contenga un campo \u0027cpu\u0027 que se establece en el momento de la asignaci\u00f3n en el id de la CPU que se inicializa. Cuando se crea una instancia de \u0027vmap_block\u0027 mediante new_vmap_block(), la estructura parcialmente inicializada se agrega a la matriz x local \u0027vmap_block_queue\u0027 antes de que se haya inicializado el campo \u0027cpu\u0027. Si otra CPU est\u00e1 recorriendo simult\u00e1neamente la matriz x (por ejemplo, a trav\u00e9s de vm_unmap_aliases()), puede realizar un acceso fuera de los l\u00edmites a la cola remota gracias a un \u00edndice no inicializado. Esto se ha observado como errores UBSAN en Android: | Error interno: UBSAN: \u00edndice de matriz fuera de los l\u00edmites: 00000000f2005512 [#1] PREEMPT SMP | | Rastreo de llamadas: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Mueva la inicializaci\u00f3n de \u0027vb-\u0026gt;cpu\u0027 en new_vmap_block() antes de la adici\u00f3n a la matriz x.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-129\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.37\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"A2E729F4-60BE-4AE1-8378-4DA2AE9E4651\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9.8\",\"versionEndExcluding\":\"6.10\",\"matchCriteriaId\":\"7CD11465-AFC4-428F-A933-C8F6486DDC2F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"D16659A9-BECD-4E13-8994-B096652762E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-46847\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-29T13:58:55.254929Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-29T13:58:56.460Z\"}}], \"cna\": {\"title\": \"mm: vmalloc: ensure vmap_block is initialised before adding to queue\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"88e0ad40d08a73a74c597e69f4cd2d1fba3838b5\", \"lessThan\": \"1b2770e27d6d952f491bb362b657e5b2713c3efd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8c61291fd8500e3b35c7ec0c781b273d8cc96cde\", \"lessThan\": \"6cf74e0e5e3ab5d5c9defb4c73dad54d52224671\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8c61291fd8500e3b35c7ec0c781b273d8cc96cde\", \"lessThan\": \"3e3de7947c751509027d26b679ecd243bc9db255\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9983b81579be3403f5cc44b11f66c6c8bea6547f\", \"versionType\": \"git\"}], \"programFiles\": [\"mm/vmalloc.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.51\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"mm/vmalloc.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd\"}, {\"url\": \"https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671\"}, {\"url\": \"https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: vmalloc: ensure vmap_block is initialised before adding to queue\\n\\nCommit 8c61291fd850 (\\\"mm: fix incorrect vbq reference in\\npurge_fragmented_block\\\") extended the \u0027vmap_block\u0027 structure to contain a\\n\u0027cpu\u0027 field which is set at allocation time to the id of the initialising\\nCPU.\\n\\nWhen a new \u0027vmap_block\u0027 is being instantiated by new_vmap_block(), the\\npartially initialised structure is added to the local \u0027vmap_block_queue\u0027\\nxarray before the \u0027cpu\u0027 field has been initialised.  If another CPU is\\nconcurrently walking the xarray (e.g.  via vm_unmap_aliases()), then it\\nmay perform an out-of-bounds access to the remote queue thanks to an\\nuninitialised index.\\n\\nThis has been observed as UBSAN errors in Android:\\n\\n | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\\n |\\n | Call trace:\\n |  purge_fragmented_block+0x204/0x21c\\n |  _vm_unmap_aliases+0x170/0x378\\n |  vm_unmap_aliases+0x1c/0x28\\n |  change_memory_common+0x1dc/0x26c\\n |  set_memory_ro+0x18/0x24\\n |  module_enable_ro+0x98/0x238\\n |  do_init_module+0x1b0/0x310\\n\\nMove the initialisation of \u0027vb-\u003ecpu\u0027 in new_vmap_block() ahead of the\\naddition to the xarray.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.51\", \"versionStartIncluding\": \"6.6.37\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.10\", \"versionStartIncluding\": \"6.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.9.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:58:45.259Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-46847\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:58:45.259Z\", \"dateReserved\": \"2024-09-11T15:12:18.290Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-27T12:39:39.550Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.