ghsa-hpp4-8vc7-9fh4
Vulnerability from github
Published
2024-05-19 09:34
Modified
2024-06-27 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix possible cp null dereference

cp might be null, calling cp->cp_conn would produce null dereference

[Simon Horman adds:]

Analysis:

  • cp is a parameter of __rds_rdma_map and is not reassigned.

  • The following call-sites pass a NULL cp argument to __rds_rdma_map()

  • rds_get_mr()

  • rds_get_mr_for_dest

  • Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary)

    trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);

  • The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis.

The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL.

  • ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute.

Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-35902"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:11Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp-\u003ecp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n  - rds_get_mr()\n  - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n  (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs-\u003ers_transport-\u003eget_mr(\n\t\tsg, nents, rs, \u0026mr-\u003er_key, cp ? cp-\u003ecp_conn : NULL,\n\t\targs-\u003evec.addr, args-\u003evec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n  where trans_private is assigned as per the previous point in this analysis.\n\n  The only implementation of get_mr that I could locate is rds_ib_get_mr()\n  which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n  rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n  Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n  this patch does seem to address a possible bug",
  "id": "GHSA-hpp4-8vc7-9fh4",
  "modified": "2024-06-27T12:30:46Z",
  "published": "2024-05-19T09:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.