cvelistv5 - cve-2024-39371

cve-2024-39371

Vulnerability from cvelistv5

Published
2024-06-25 14:22
Modified
2024-11-05 09:31
Severity ?
Summary
io_uring: check for non-NULL file pointer in io_file_can_poll()
References
URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044	Patch
Impacted products
▼	Vendor	Product
	Linux	Linux
	Linux	Linux
Show details on NVD website
JSON
To clipboard
{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:26:14.280Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39371",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:08:11.447058Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:42.499Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2844d5e5857",
              "status": "affected",
              "version": "a76c0b31eef5",
              "versionType": "git"
            },
            {
              "lessThan": "43cfac7b88ad",
              "status": "affected",
              "version": "a76c0b31eef5",
              "versionType": "git"
            },
            {
              "lessThan": "65561b4c1c9e",
              "status": "affected",
              "version": "a76c0b31eef5",
              "versionType": "git"
            },
            {
              "lessThan": "5fc16fa5f13b",
              "status": "affected",
              "version": "a76c0b31eef5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for non-NULL file pointer in io_file_can_poll()\n\nIn earlier kernels, it was possible to trigger a NULL pointer\ndereference off the forced async preparation path, if no file had\nbeen assigned. The trace leading to that looks as follows:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\nRIP: 0010:io_buffer_select+0xc3/0x210\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 \u003c48\u003e 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\nFS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x1f/0x60\n ? page_fault_oops+0x14d/0x420\n ? do_user_addr_fault+0x61/0x6a0\n ? exc_page_fault+0x6c/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? io_buffer_select+0xc3/0x210\n __io_import_iovec+0xb5/0x120\n io_readv_prep_async+0x36/0x70\n io_queue_sqe_fallback+0x20/0x260\n io_submit_sqes+0x314/0x630\n __do_sys_io_uring_enter+0x339/0xbc0\n ? __do_sys_io_uring_register+0x11b/0xc50\n ? vm_mmap_pgoff+0xce/0x160\n do_syscall_64+0x5f/0x180\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0x55e0a110a67e\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 \u003cc3\u003e 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\n\nbecause the request is marked forced ASYNC and has a bad file fd, and\nhence takes the forced async prep path.\n\nCurrent kernels with the request async prep cleaned up can no longer hit\nthis issue, but for ease of backporting, let\u0027s add this safety check in\nhere too as it really doesn\u0027t hurt. For both cases, this will inevitably\nend with a CQE posted with -EBADF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:31:44.109Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044"
        },
        {
          "url": "https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2"
        }
      ],
      "title": "io_uring: check for non-NULL file pointer in io_file_can_poll()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-39371",
    "datePublished": "2024-06-25T14:22:42.919Z",
    "dateReserved": "2024-06-24T13:54:11.039Z",
    "dateUpdated": "2024-11-05T09:31:44.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39371\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-25T15:15:14.410\",\"lastModified\":\"2024-08-19T19:40:41.547\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: check for non-NULL file pointer in io_file_can_poll()\\n\\nIn earlier kernels, it was possible to trigger a NULL pointer\\ndereference off the forced async preparation path, if no file had\\nbeen assigned. The trace leading to that looks as follows:\\n\\nBUG: kernel NULL pointer dereference, address: 00000000000000b0\\nPGD 0 P4D 0\\nOops: 0000 [#1] PREEMPT SMP\\nCPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022\\nRIP: 0010:io_buffer_select+0xc3/0x210\\nCode: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 \u003c48\u003e 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b\\nRSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246\\nRAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040\\nRDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700\\nRBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020\\nR10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8\\nR13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000\\nFS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000\\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0\\nCall Trace:\\n \u003cTASK\u003e\\n ? __die+0x1f/0x60\\n ? page_fault_oops+0x14d/0x420\\n ? do_user_addr_fault+0x61/0x6a0\\n ? exc_page_fault+0x6c/0x150\\n ? asm_exc_page_fault+0x22/0x30\\n ? io_buffer_select+0xc3/0x210\\n __io_import_iovec+0xb5/0x120\\n io_readv_prep_async+0x36/0x70\\n io_queue_sqe_fallback+0x20/0x260\\n io_submit_sqes+0x314/0x630\\n __do_sys_io_uring_enter+0x339/0xbc0\\n ? __do_sys_io_uring_register+0x11b/0xc50\\n ? vm_mmap_pgoff+0xce/0x160\\n do_syscall_64+0x5f/0x180\\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\\nRIP: 0033:0x55e0a110a67e\\nCode: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 \u003cc3\u003e 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6\\n\\nbecause the request is marked forced ASYNC and has a bad file fd, and\\nhence takes the forced async prep path.\\n\\nCurrent kernels with the request async prep cleaned up can no longer hit\\nthis issue, but for ease of backporting, let\u0027s add this safety check in\\nhere too as it really doesn\u0027t hurt. For both cases, this will inevitably\\nend with a CQE posted with -EBADF.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: comprueba si hay un puntero de archivo que no sea NULL en io_file_can_poll(). En kernels anteriores, era posible activar una desreferencia del puntero NULL fuera de la ruta de preparaci\u00f3n asincr\u00f3nica forzada, si no se hab\u00eda creado ning\u00fan archivo. asignado. El rastro que conduce a esto tiene el siguiente aspecto: ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000b0 PGD 0 P4D 0 Ups: 0000 [#1] CPU SMP PREEMPT: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0 -rc3+ #1 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS desconocido 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 C\u00f3digo: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 \u0026lt;48\u0026gt; 8b 92 b0 00 00 00 48 83 7a 40 00 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 00000000000000040 RDX: 0000000000000000 RSI: 97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000 c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14 : ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Seguimiento de llamadas:  ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420? do_user_addr_fault+0x61/0x6a0? exc_page_fault+0x6c/0x150? asm_exc_page_fault+0x22/0x30? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x33 9/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 Entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e C\u00f3digo: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 0 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05  90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 porque la solicitud est\u00e1 marcada como ASYNC forzado y tiene un archivo incorrecto fd y, por lo tanto, toma la ruta de preparaci\u00f3n asincr\u00f3nica forzada. Los kernels actuales con la preparaci\u00f3n as\u00edncrona de solicitud limpia ya no pueden solucionar este problema, pero para facilitar la compatibilidad, agreguemos esta verificaci\u00f3n de seguridad aqu\u00ed tambi\u00e9n, ya que realmente no hace da\u00f1o. En ambos casos, esto inevitablemente terminar\u00e1 con un CQE publicado con -EBADF.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.19\",\"versionEndExcluding\":\"6.1.95\",\"matchCriteriaId\":\"E0A7F60D-A7BB-486D-9C47-C6BD16DE5AC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.35\",\"matchCriteriaId\":\"6F019D15-84C0-416B-8C57-7F51B68992F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.9.5\",\"matchCriteriaId\":\"8366481F-770F-4850-9D0F-2977BD97D5C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2EBB4392-5FA6-4DA9-9772-8F9C750109FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"331C2F14-12C7-45D5-893D-8C52EE38EA10\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/43cfac7b88adedfb26c27834386992650f1642f3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5fc16fa5f13b3c06fdb959ef262050bd810416a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/65561b4c1c9e01443cb76387eb36a9109e7048ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c2844d5e58576c55d8e8d4a9f74902d3f7be8044\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}
Sightings

Author	Source	Type	Date
Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Action not permitted

cve-2024-39371

Vulnerability from cvelistv5

ghsa-3v8f-wj9v-rfpm

Vulnerability from github

wid-sec-w-2024-1451

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature
