ghsa-8chq-hjc6-56vh
Vulnerability from github
Published
2024-05-17 15:31
Modified
2024-06-27 12:30
Details
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v3-its: Prevent double free on error
The error handling path in its_vpe_irq_domain_alloc() causes a double free when its_vpe_init() fails after successfully allocating at least one interrupt. This happens because its_vpe_irq_domain_free() frees the interrupts along with the area bitmap and the vprop_page and its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which handles all cases correctly and by removing the bitmap/vprop_page freeing from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
{ "affected": [], "aliases": [ "CVE-2024-35847" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-17T15:15:21Z", "severity": null }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", "id": "GHSA-8chq-hjc6-56vh", "modified": "2024-06-27T12:30:46Z", "published": "2024-05-17T15:31:12Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html" } ], "schema_version": "1.4.0", "severity": [] }
Loading...