Bug 2256490 (CVE-2024-0841) - CVE-2024-0841 kernel: hugetlbfs: Null pointer dereference in hugetlbfs_fill_super function
Summary: CVE-2024-0841 kernel: hugetlbfs: Null pointer dereference in hugetlbfs_fill_s...
Keywords:
Status: NEW
Alias: CVE-2024-0841
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2260734
Blocks: 2243125
TreeView+ depends on / blocked
 
Reported: 2024-01-02 17:40 UTC by Alex
Modified: 2024-05-22 09:52 UTC (History)
57 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 7054691 0 None None None 2024-02-05 14:59:54 UTC
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:19 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:06 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:14 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:14:55 UTC
Red Hat Product Errata RHSA-2024:2950 0 None None None 2024-05-22 09:15:24 UTC
Red Hat Product Errata RHSA-2024:3138 0 None None None 2024-05-22 09:52:37 UTC

Description Alex 2024-01-02 17:40:35 UTC
A flaw in the Linux Kernel found. Null pointer dereference in hugetlbfs_fill_super function for hugetlbfs (HugeTLB pages). The issue presents when we attempt to update the pagesize value to an invalid size with the fsconfig syscall. This syscall will eventually call hugetlbfs_parse_param() where we will set the hstate value to null if the value passed is not a valid page size.
If we then attempt to update the fs again with a fsconfig syscall, specifically with the FSCONFIG_CMD_CREATE option, we will then attempt to dereference that null pointer within hugetlbfs_fill_super() causing a panic.

Comment 9 Audra Mitchell 2024-01-24 14:14:58 UTC
Hey Alex,

When are we planning on lifting the embargo? I need to know so that I can plan how I'm going to submit the patch upstream. Thanks!

Comment 10 Alex 2024-01-28 11:18:19 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2260734]

Comment 11 Alex 2024-01-28 11:19:27 UTC
In reply to comment #9:
> Hey Alex,
> 
> When are we planning on lifting the embargo? I need to know so that I can
> plan how I'm going to submit the patch upstream. Thanks!

Unembargoed.

Comment 13 Salvatore Bonaccorso 2024-01-28 20:21:30 UTC
(In reply to Audra Mitchell from comment #9)
> Hey Alex,
> 
> When are we planning on lifting the embargo? I need to know so that I can
> plan how I'm going to submit the patch upstream. Thanks!

Alex, once this has been submitted upstream, can you post a cross reference here?

Would be much appreciated!

Regards,
Salvatore

Comment 20 errata-xmlrpc 2024-04-30 10:14:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 21 errata-xmlrpc 2024-05-22 09:15:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950

Comment 22 errata-xmlrpc 2024-05-22 09:52:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138


Note You need to log in before you can comment on or make changes to this bug.