Ubuntu: (Multiple Advisories) (CVE-2024-36892): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-36892): Linux kernel vulnerabilities

Severity

4

CVSS

(AV:L/AC:M/Au:N/C:P/I:P/A:P)

Published

05/30/2024

Created

08/10/2024

Added

08/09/2024

Modified

01/23/2025

Description

In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid zeroing outside-object freepointer for single free Commit 284f17ac13fe ("mm/slub: handle bulk and single object freeing separately") splits single and bulk object freeing in two functions slab_free() and slab_free_bulk() which leads slab_free() to call slab_free_hook() directly instead of slab_free_freelist_hook(). If `init_on_free` is set, slab_free_hook() zeroes the object. Afterward, if `slub_debug=F` and `CONFIG_SLAB_FREELIST_HARDENED` are set, the do_slab_free() slowpath executes freelist consistency checks and try to decode a zeroed freepointer which leads to a "Freepointer corrupt" detection in check_object(). During bulk free, slab_free_freelist_hook() isn't affected as it always sets it objects freepointer using set_freepointer() to maintain its reconstructed freelist after `init_on_free`. For single free, object's freepointer thus needs to be avoided when stored outside the object if `init_on_free` is set. The freepointer left as is, check_object() may later detect an invalid pointer value due to objects overflow. To reproduce, set `slub_debug=FU init_on_free=1 log_level=7` on the command line of a kernel build with `CONFIG_SLAB_FREELIST_HARDENED=y`. dmesg sample log: [ 10.708715] ============================================================================= [ 10.710323] BUG kmalloc-rnd-05-32 (Tainted: GB T ): Freepointer corrupt [ 10.712695] ----------------------------------------------------------------------------- [ 10.712695] [ 10.712695] Slab 0xffffd8bdc400d580 objects=32 used=4 fp=0xffff9d9a80356f80 flags=0x200000000000a00(workingset|slab|node=0|zone=2) [ 10.716698] Object 0xffff9d9a80356600 @offset=1536 fp=0x7ee4f480ce0ecd7c [ 10.716698] [ 10.716698] Bytes b4 ffff9d9a803565f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ [ 10.720703] Object ffff9d9a80356600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ [ 10.720703] Object ffff9d9a80356610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ [ 10.724696] Paddingffff9d9a8035666c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ [ 10.724696] Paddingffff9d9a8035667c: 00 00 00 00.... [ 10.724696] FIX kmalloc-rnd-05-32: Object at 0xffff9d9a80356600 not freed

Solution(s)

• ubuntu-upgrade-linux-image-6-8-0-1008-gke
• ubuntu-upgrade-linux-image-6-8-0-1009-raspi
• ubuntu-upgrade-linux-image-6-8-0-1010-ibm
• ubuntu-upgrade-linux-image-6-8-0-1010-oem
• ubuntu-upgrade-linux-image-6-8-0-1010-oracle
• ubuntu-upgrade-linux-image-6-8-0-1010-oracle-64k
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-64k
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-6-8-0-1012-azure
• ubuntu-upgrade-linux-image-6-8-0-1012-azure-fde
• ubuntu-upgrade-linux-image-6-8-0-1012-gcp
• ubuntu-upgrade-linux-image-6-8-0-1013-aws
• ubuntu-upgrade-linux-image-6-8-0-40-generic
• ubuntu-upgrade-linux-image-6-8-0-40-generic-64k
• ubuntu-upgrade-linux-image-6-8-0-40-lowlatency
• ubuntu-upgrade-linux-image-6-8-0-40-lowlatency-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-fde
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-24-04
• ubuntu-upgrade-linux-image-generic-hwe-24-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-ibm-classic
• ubuntu-upgrade-linux-image-ibm-lts-24-04
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-6-8
• ubuntu-upgrade-linux-image-nvidia-64k
• ubuntu-upgrade-linux-image-nvidia-64k-6-8
• ubuntu-upgrade-linux-image-nvidia-lowlatency
• ubuntu-upgrade-linux-image-nvidia-lowlatency-64k
• ubuntu-upgrade-linux-image-oem-24-04
• ubuntu-upgrade-linux-image-oem-24-04a
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-64k
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-24-04

References

• https://attackerkb.com/topics/cve-2024-36892
• CVE - 2024-36892
• USN-6949-1
• USN-6949-2
• USN-6952-1
• USN-6952-2
• USN-6955-1