Bug 2307863 (CVE-2024-43890) - CVE-2024-43890 kernel: tracing: Fix overflow in get_free_elt()
Summary: CVE-2024-43890 kernel: tracing: Fix overflow in get_free_elt()
Keywords:
Status: NEW
Alias: CVE-2024-43890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2308165
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-26 11:20 UTC by OSIDB Bzimport
Modified: 2024-10-03 16:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability was found in the get_free_elt() function in the Linux Kernel's tracing subsystem, which is part of the tracing map logic. A local attacker with access to the tracing subsystem could exploit this vulnerability to cause a CPU hang, leading to a denial of service (DoS).
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-08-26 11:20:43 UTC
In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix overflow in get_free_elt()

"tracing_map->next_elt" in get_free_elt() is at risk of overflowing.

Once it overflows, new elements can still be inserted into the tracing_map
even though the maximum number of elements (`max_elts`) has been reached.
Continuing to insert elements after the overflow could result in the
tracing_map containing "tracing_map->max_size" elements, leaving no empty
entries.
If any attempt is made to insert an element into a full tracing_map using
`__tracing_map_insert()`, it will cause an infinite loop with preemption
disabled, leading to a CPU hang problem.

Fix this by preventing any further increments to "tracing_map->next_elt"
once it reaches "tracing_map->max_elt".

Comment 1 Mauro Matteo Cascella 2024-08-27 14:01:16 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024082601-CVE-2024-43890-1c3a@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.