CVE-2024-35797 Affecting kernel-rt-debug-modules-core package, versions <0:5.14.0-427.35.1.el9_4
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL9-KERNELRTDEBUGMODULESCORE-6869682
- published18 May 2024
- disclosed17 May 2024
Introduced: 17 May 2024
CVE-2024-35797 (opens in a new tab)How to fix?
Upgrade RHEL:9 kernel-rt-debug-modules-core to version 0:5.14.0-427.35.1.el9_4 or higher.
This issue was patched in RHSA-2024:6567.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug-modules-core package and not the kernel-rt-debug-modules-core package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
mm: cachestat: fix two shmem bugs
When cachestat on shmem races with swapping and invalidation, there are two possible bugs:
A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling get_shadow_from_swap_cache() on it will result in an out-of-bounds access to swapper_spaces[].
Validate the entry with non_swap_entry() before going further.
When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before __remove_mapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry.
This will send a NULL to workingset_test_recent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count.
Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case.
Bail on get_shadow_from_swap_cache() returning NULL.
References
- https://access.redhat.com/security/cve/CVE-2024-35797
- https://git.kernel.org/stable/c/24a0e73d544439bb9329fbbafac44299e548a677
- https://git.kernel.org/stable/c/b79f9e1ff27c994a4c452235ba09e672ec698e23
- https://git.kernel.org/stable/c/d5d39c707a4cf0bcc84680178677b97aa2cb2627
- https://git.kernel.org/stable/c/d962f6c583458037dc7e529659b2b02b9dd3d94b