NULL Pointer Dereference Affecting kernel-uek-debug-devel package, versions <0:5.4.17-2136.337.5.el7uek


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE7-KERNELUEKDEBUGDEVEL-8370885
  • published14 Nov 2024
  • disclosed21 Oct 2024

Introduced: 21 Oct 2024

CVE-2024-49863  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:7 kernel-uek-debug-devel to version 0:5.4.17-2136.337.5.el7uek or higher.
This issue was patched in ELSA-2024-12813.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-devel package and not the kernel-uek-debug-devel package as distributed by Oracle. See How to fix? for Oracle:7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()

Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request.

In vhost_scsi_ctl_handle_vq(), vc.target is assigned with &amp;v_req.tmf.lun[1] within a switch-case block and is then passed to vhost_scsi_get_req() which extracts vc-&gt;req and tpg. However, for a VIRTIO_SCSI_T_AN_* request, tpg is not required, so vc.target is set to NULL in this branch. Later, in vhost_scsi_get_req(), vc-&gt;target is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest.

When this bug occurs, the vhost_worker process is killed while holding vq-&gt;mutex and the corresponding tpg will remain occupied indefinitely.

Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350 ... </TASK> ---[ end trace 0000000000000000 ]---

Let's add a check in vhost_scsi_get_req.

[whitespace fixes]

CVSS Scores

version 3.1