cve-2024-44981
Vulnerability from cvelistv5
Published
2024-09-04 19:54
Modified
2024-12-19 09:19
Severity ?
EPSS score ?
Summary
workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask()
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:18:14.996929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:17.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/workqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90a6a844b2d9927d192758438a4ada33d8cd9de5",
"status": "affected",
"version": "1211f3b21c2aa0d22d8d7f050e3a5930a91cd0e4",
"versionType": "git"
},
{
"lessThan": "38f7e14519d39cf524ddc02d4caee9b337dad703",
"status": "affected",
"version": "1211f3b21c2aa0d22d8d7f050e3a5930a91cd0e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/workqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Fix UBSAN \u0027subtraction overflow\u0027 error in shift_and_mask()\n\nUBSAN reports the following \u0027subtraction overflow\u0027 error when booting\nin a virtual machine on Android:\n\n | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4\n | Hardware name: linux,dummy-virt (DT)\n | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : cancel_delayed_work+0x34/0x44\n | lr : cancel_delayed_work+0x2c/0x44\n | sp : ffff80008002ba60\n | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000\n | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0\n | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058\n | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d\n | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000\n | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000\n | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553\n | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620\n | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000\n | Call trace:\n | cancel_delayed_work+0x34/0x44\n | deferred_probe_extend_timeout+0x20/0x70\n | driver_register+0xa8/0x110\n | __platform_driver_register+0x28/0x3c\n | syscon_init+0x24/0x38\n | do_one_initcall+0xe4/0x338\n | do_initcall_level+0xac/0x178\n | do_initcalls+0x5c/0xa0\n | do_basic_setup+0x20/0x30\n | kernel_init_freeable+0x8c/0xf8\n | kernel_init+0x28/0x1b4\n | ret_from_fork+0x10/0x20\n | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception\n\nThis is due to shift_and_mask() using a signed immediate to construct\nthe mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so\nthat it ends up decrementing from INT_MIN.\n\nUse an unsigned constant \u00271U\u0027 to generate the mask in shift_and_mask()."
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T09:19:34.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90a6a844b2d9927d192758438a4ada33d8cd9de5"
},
{
"url": "https://git.kernel.org/stable/c/38f7e14519d39cf524ddc02d4caee9b337dad703"
}
],
"title": "workqueue: Fix UBSAN \u0027subtraction overflow\u0027 error in shift_and_mask()",
"x_generator": {
"engine": "bippy-5f407fcff5a0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-44981",
"datePublished": "2024-09-04T19:54:31.505Z",
"dateReserved": "2024-08-21T05:34:56.670Z",
"dateUpdated": "2024-12-19T09:19:34.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-44981\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-04T20:15:07.533\",\"lastModified\":\"2024-09-05T17:54:19.377\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nworkqueue: Fix UBSAN \u0027subtraction overflow\u0027 error in shift_and_mask()\\n\\nUBSAN reports the following \u0027subtraction overflow\u0027 error when booting\\nin a virtual machine on Android:\\n\\n | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP\\n | Modules linked in:\\n | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4\\n | Hardware name: linux,dummy-virt (DT)\\n | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n | pc : cancel_delayed_work+0x34/0x44\\n | lr : cancel_delayed_work+0x2c/0x44\\n | sp : ffff80008002ba60\\n | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000\\n | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\\n | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0\\n | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058\\n | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d\\n | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000\\n | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000\\n | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553\\n | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620\\n | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000\\n | Call trace:\\n | cancel_delayed_work+0x34/0x44\\n | deferred_probe_extend_timeout+0x20/0x70\\n | driver_register+0xa8/0x110\\n | __platform_driver_register+0x28/0x3c\\n | syscon_init+0x24/0x38\\n | do_one_initcall+0xe4/0x338\\n | do_initcall_level+0xac/0x178\\n | do_initcalls+0x5c/0xa0\\n | do_basic_setup+0x20/0x30\\n | kernel_init_freeable+0x8c/0xf8\\n | kernel_init+0x28/0x1b4\\n | ret_from_fork+0x10/0x20\\n | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)\\n | ---[ end trace 0000000000000000 ]---\\n | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception\\n\\nThis is due to shift_and_mask() using a signed immediate to construct\\nthe mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so\\nthat it ends up decrementing from INT_MIN.\\n\\nUse an unsigned constant \u00271U\u0027 to generate the mask in shift_and_mask().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: workqueue: Se corrige el error de \u0027desbordamiento de sustracci\u00f3n\u0027 de UBSAN en shift_and_mask() UBSAN informa el siguiente error de \u0027desbordamiento de sustracci\u00f3n\u0027 al arrancar en una m\u00e1quina virtual en Android: | Error interno: UBSAN: desbordamiento de sustracci\u00f3n de enteros: 00000000f2005515 [#1] PREEMPT SMP | M\u00f3dulos vinculados en: | CPU: 0 PID: 1 Comm: swapper/0 No contaminado 6.10.0-00006-g3cbe9e5abd46-dirty #4 | Nombre del hardware: linux,dummy-virt (DT) | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : cancel_delayed_work+0x34/0x44 | lr : cancelar_trabajo_retrasado+0x2c/0x44 | sp : ffff80008002ba60 | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0 | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058 | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000 | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000 | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553 | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620 | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000 | Rastreo de llamadas: | cancel_delayed_work+0x34/0x44 | deferred_probe_extend_timeout+0x20/0x70 | driver_register+0xa8/0x110 | __platform_driver_register+0x28/0x3c | syscon_init+0x24/0x38 | hacer_una_initcall+0xe4/0x338 | hacer_initcall_level+0xac/0x178 | hacer_initcalls+0x5c/0xa0 | hacer_configuraci\u00f3n_b\u00e1sica+0x20/0x30 | kernel_init_freeable+0x8c/0xf8 | kernel_init+0x28/0x1b4 | ret_from_fork+0x10/0x20 | C\u00f3digo: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0) | ---[ fin de seguimiento 000000000000000 ]--- | P\u00e1nico del n\u00facleo: no se sincroniza: UBSAN: desbordamiento de sustracci\u00f3n de enteros: excepci\u00f3n fatal Esto se debe a que shift_and_mask() usa una funci\u00f3n inmediata con signo para construir la m\u00e1scara y se la llama con un desplazamiento de 31 (WORK_OFFQ_POOL_SHIFT), por lo que termina disminuyendo desde INT_MIN. Use una constante sin signo \u00271U\u0027 para generar la m\u00e1scara en shift_and_mask().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.10\",\"versionEndExcluding\":\"6.10.7\",\"matchCriteriaId\":\"E55C1263-DF43-41EF-8DA8-2BA68DF4FFFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/38f7e14519d39cf524ddc02d4caee9b337dad703\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/90a6a844b2d9927d192758438a4ada33d8cd9de5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.