CVE-2024-35985

Summary

In the Linux kernel, the following vulnerability has been resolved:

sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()

It was possible to have pick_eevdf() return NULL, which then causes a NULL-deref. This turned out to be due to entity_eligible() returning falsely negative because of a s64 multiplcation overflow.

Specifically, reweight_eevdf() computes the vlag without considering the limit placed upon vlag as update_entity_lag() does, and then the scaling multiplication (remember that weight is 20bit fixed point) can overflow. This then leads to the new vruntime being weird which then causes the above entity_eligible() to go side-ways and claim nothing is eligible.

Thus limit the range of vlag accordingly.

All this was quite rare, but fatal when it does happen.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux14204acc09f652169baed1141c671429047b1313 < 470d347b14b0ecffa9b39cf8f644fa2351db3efbaffected
LinuxLinuxeab03c23c2a162085b13200d7942fc5a00b5ccc8 < 06f27e6d7bf0abf54488259ef36bbf0e1fccb35caffected
LinuxLinuxeab03c23c2a162085b13200d7942fc5a00b5ccc8 < 1560d1f6eb6b398bddd80c16676776c0325fe5feaffected
LinuxLinux6.6.4 < 6.6.30affected
LinuxLinux6.7affected
LinuxLinux0 < 6.7unaffected
LinuxLinux6.6.30 <= 6.6.*unaffected
LinuxLinux6.8.9 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References