CVE-2024-38661
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/ap: Fix crash in AP internal function modify_bitmap()
A system crash like this
Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib … CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops
occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.
The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 2062e3f1f2374102f8014d7ca286b9aa527bd558 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 7c72af16abf2ec7520407098360bbba312289e05 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 67011123453b91ec03671d40712fa213e94a01b9 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 8c5f5911c1b13170d3404eb992c6a0deaa8d81ad | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 4c0bfb4e867c1ec6616a5049bd3618021e127056 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < 7dabe54a016defe11bb2a278cd9f1ff6db3feba6 | affected |
| Linux | Linux | 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 < d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 | affected |
| Linux | Linux | 4.19 | affected |
| Linux | Linux | 0 < 4.19 | unaffected |
| Linux | Linux | 4.19.316 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.278 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.219 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.161 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.94 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.34 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.5 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558
- https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05
- https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
- https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9
- https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
- https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056
- https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6
- https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558
- https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05
- https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
- https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9
- https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
- https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056
- https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6
- https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.