NULL Pointer Dereference Affecting kernel-bootwrapper package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CENTOS6-KERNELBOOTWRAPPER-6922702
- published20 May 2024
- disclosed19 May 2024
Introduced: 19 May 2024
CVE-2024-35902 (opens in a new tab)How to fix?
There is no fixed version for Centos:6 kernel-bootwrapper.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-bootwrapper package and not the kernel-bootwrapper package as distributed by Centos.
See How to fix? for Centos:6 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
net/rds: fix possible cp null dereference
cp might be null, calling cp->cp_conn would produce null dereference
[Simon Horman adds:]
Analysis:
cp is a parameter of __rds_rdma_map and is not reassigned.
The following call-sites pass a NULL cp argument to __rds_rdma_map()
- rds_get_mr()
- rds_get_mr_for_dest
Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary)
trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);
The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis.
The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL.
ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute.
Conclusion:
- cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug
References
- https://access.redhat.com/security/cve/CVE-2024-35902
- https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b
- https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a
- https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d
- https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9
- https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196
- https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14
- https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c
- https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html