Bug 2337342 (CVE-2024-47809) - CVE-2024-47809 kernel: dlm: fix possible lkb_resource null dereference
Summary: CVE-2024-47809 kernel: dlm: fix possible lkb_resource null dereference
Keywords:
Status: NEW
Alias: CVE-2024-47809
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-13 11:56 UTC by OSIDB Bzimport
Modified: 2025-01-13 13:04 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-01-13 11:56:39 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dlm: fix possible lkb_resource null dereference

This patch fixes a possible null pointer dereference when this function is
called from request_lock() as lkb->lkb_resource is not assigned yet,
only after validate_lock_args() by calling attach_lkb(). Another issue
is that a resource name could be a non printable bytearray and we cannot
assume to be ASCII coded.

The log functionality is probably never being hit when DLM is used in
normal way and no debug logging is enabled. The null pointer dereference
can only occur on a new created lkb that does not have the resource
assigned yet, it probably never hits the null pointer dereference but we
should be sure that other changes might not change this behaviour and we
actually can hit the mentioned null pointer dereference.

In this patch we just drop the printout of the resource name, the lkb id
is enough to make a possible connection to a resource name if this
exists.
Comment 1 Avinash Hanwate 2025-01-13 13:01:29 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025011120-CVE-2024-47809-7b40@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.