Out-of-bounds Read Affecting kernel-rt-trace package, versions *


Severity

Recommended
medium

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-KERNELRTTRACE-7761780
  • published21 Aug 2024
  • disclosed17 Aug 2024

Introduced: 17 Aug 2024

CVE-2024-42293  (opens in a new tab)
CWE-125  (opens in a new tab)
First added by Snyk

How to fix?

There is no fixed version for RHEL:7 kernel-rt-trace.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-rt-trace package and not the kernel-rt-trace package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

arm64: mm: Fix lockless walks with static and dynamic page-table folding

Lina reports random oopsen originating from the fast GUP code when 16K pages are used with 4-level page-tables, the fourth level being folded at runtime due to lack of LPA2.

In this configuration, the generic implementation of p4d_offset_lockless() will return a 'p4d_t *' corresponding to the 'pgd_t' allocated on the stack of the caller, gup_fast_pgd_range(). This is normally fine, but when the fourth level of page-table is folded at runtime, pud_offset_lockless() will offset from the address of the 'p4d_t' to calculate the address of the PUD in the same page-table page. This results in a stray stack read when the 'p4d_t' has been allocated on the stack and can send the walker into the weeds.

Fix the problem by providing our own definition of p4d_offset_lockless() when CONFIG_PGTABLE_LEVELS <= 4 which returns the real page-table pointer rather than the address of the local stack variable.

CVSS Scores

version 3.1