ghsa-qm24-fmqw-f5v5
Vulnerability from github
Published
2024-11-09 12:30
Modified
2024-11-13 21:30
Details

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()

KASAN reported following issue:

BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt] Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Call Trace: dump_stack_lvl+0x6c/0x90 print_report+0xd1/0x630 kasan_report+0xdb/0x110 __asan_report_load4_noabort+0x14/0x20 tb_retimer_scan+0xffe/0x1550 [thunderbolt] tb_scan_port+0xa6f/0x2060 [thunderbolt] tb_handle_hotplug+0x17b1/0x3080 [thunderbolt] process_one_work+0x626/0x1100 worker_thread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 ret_from_fork+0x3a/0x80 ret_from_fork_asm+0x1a/0x30

This happens because the loop variable still gets incremented by one so max becomes 3 instead of 2, and this makes the second loop read past the the array declared on the stack.

Fix this by assigning to max directly in the loop body.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-50227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()\n\nKASAN reported following issue:\n\n BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G     U             6.11.0+ #1387\n Tainted: [U]=USER\n Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x6c/0x90\n  print_report+0xd1/0x630\n  kasan_report+0xdb/0x110\n  __asan_report_load4_noabort+0x14/0x20\n  tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n  tb_scan_port+0xa6f/0x2060 [thunderbolt]\n  tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]\n  process_one_work+0x626/0x1100\n  worker_thread+0x6c8/0xfa0\n  kthread+0x2c8/0x3a0\n  ret_from_fork+0x3a/0x80\n  ret_from_fork_asm+0x1a/0x30\n\nThis happens because the loop variable still gets incremented by one so\nmax becomes 3 instead of 2, and this makes the second loop read past the\nthe array declared on the stack.\n\nFix this by assigning to max directly in the loop body.",
  "id": "GHSA-qm24-fmqw-f5v5",
  "modified": "2024-11-13T21:30:32Z",
  "published": "2024-11-09T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50227"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9e1b20fae7de06ba36dd3f8dba858157bad233d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.