Bug 2256490 (CVE-2024-0841)

Summary: CVE-2024-0841 kernel: hugetlbfs: Null pointer dereference in hugetlbfs_fill_super function
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, aubaker, bhu, carnil, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, ikent, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kyoshida, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, nyelle, preichl, ptalbert, rogbas, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2260734    
Bug Blocks: 2243125    

Description Alex 2024-01-02 17:40:35 UTC 
A flaw in the Linux Kernel found. Null pointer dereference in hugetlbfs_fill_super function for hugetlbfs (HugeTLB pages). The issue presents when we attempt to update the pagesize value to an invalid size with the fsconfig syscall. This syscall will eventually call hugetlbfs_parse_param() where we will set the hstate value to null if the value passed is not a valid page size.
If we then attempt to update the fs again with a fsconfig syscall, specifically with the FSCONFIG_CMD_CREATE option, we will then attempt to dereference that null pointer within hugetlbfs_fill_super() causing a panic.
Comment 9 Audra Mitchell 2024-01-24 14:14:58 UTC 
Hey Alex,

When are we planning on lifting the embargo? I need to know so that I can plan how I'm going to submit the patch upstream. Thanks!
Comment 10 Alex 2024-01-28 11:18:19 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2260734]
Comment 11 Alex 2024-01-28 11:19:27 UTC 
In reply to comment #9:
> Hey Alex,
> 
> When are we planning on lifting the embargo? I need to know so that I can
> plan how I'm going to submit the patch upstream. Thanks!

Unembargoed.
Comment 13 Salvatore Bonaccorso 2024-01-28 20:21:30 UTC 
(In reply to Audra Mitchell from comment #9)
> Hey Alex,
> 
> When are we planning on lifting the embargo? I need to know so that I can
> plan how I'm going to submit the patch upstream. Thanks!

Alex, once this has been submitted upstream, can you post a cross reference here?

Would be much appreciated!

Regards,
Salvatore
Comment 20 errata-xmlrpc 2024-04-30 10:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394