CVE-2024-50223

一、漏洞信息
 漏洞编号：[CVE-2024-50223](https://nvd.nist.gov/vuln/detail/CVE-2024-50223)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：5.5 Medium
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:sched/numa: Fix the potential null pointer dereference in task_numa_work()When running stress-ng-vm-segv test, we found a null pointer dereferenceerror in task_numa_work(). Here is the backtrace:  [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020  ......  [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se  ......  [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)  [323676.067115] pc : vma_migratable+0x1c/0xd0  [323676.067122] lr : task_numa_work+0x1ec/0x4e0  [323676.067127] sp : ffff8000ada73d20  [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010  [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000  [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000  [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8  [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035  [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8  [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4  [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001  [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000  [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000  [323676.067152] Call trace:  [323676.067153]  vma_migratable+0x1c/0xd0  [323676.067155]  task_numa_work+0x1ec/0x4e0  [323676.067157]  task_work_run+0x78/0xd8  [323676.067161]  do_notify_resume+0x1ec/0x290  [323676.067163]  el0_svc+0x150/0x160  [323676.067167]  el0t_64_sync_handler+0xf8/0x128  [323676.067170]  el0t_64_sync+0x17c/0x180  [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)  [323676.067177] SMP: stopping secondary CPUs  [323676.070184] Starting crashdump kernel...stress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV errorhandling function of the system, which tries to cause a SIGSEGV error onreturn from unmapping the whole address space of the child process.Normally this program will not cause kernel crashes. But before themunmap system call returns to user mode, a potential task_numa_work()for numa balancing could be added and executed. In this scenario, since thechild process has no vma after munmap, the vma_next() in task_numa_work()will return a null pointer even if the vma iterator restarts from 0.Recheck the vma pointer before dereferencing it in task_numa_work().
 漏洞公开时间：2024-11-09 19:15:07
 漏洞创建时间：2024-11-09 19:36:49
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-50223
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/9c70b2a33cd2aa6a5a59c5523ef053bd42265209 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ade91f6e9848b370add44d89c976e070ccb492ef |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c60d98ef7078fc3e22b48e98eae7a897d88494ee |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50223 | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-50223.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| suse_bugzilla | https://git.kernel.org/stable/c/ade91f6e9848b370add44d89c976e070ccb492ef | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| suse_bugzilla | https://git.kernel.org/stable/c/c60d98ef7078fc3e22b48e98eae7a897d88494ee | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| suse_bugzilla | https://git.kernel.org/stable/c/9c70b2a33cd2aa6a5a59c5523ef053bd42265209 | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-50223 | https://bugzilla.suse.com/show_bug.cgi?id=1233192 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024110927-CVE-2024-50223-c11b@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2324868 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:11486 | https://bugzilla.redhat.com/show_bug.cgi?id=2324868 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-50223 |
| mageia |  | http://advisories.mageia.org/MGASA-2024-0368.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/9c70b2a33cd2aa6a5a59c5523ef053bd42265209 |  | nvd |
|  |  | https://git.kernel.org/stable/c/ade91f6e9848b370add44d89c976e070ccb492ef |  | nvd |
|  |  | https://git.kernel.org/stable/c/c60d98ef7078fc3e22b48e98eae7a897d88494ee |  | nvd |
| linux_kernel | 6.6.60 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ade91f6e9848Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=214dbc428137 | linuxkernelcves |
| linux_kernel | 6.11.7 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c60d98ef7078Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=214dbc428137 | linuxkernelcves |
| linux_kernel | 6.12-rc6 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9c70b2a33cd2Please | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=214dbc428137 | linuxkernelcves |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:sched/numa: Fix the potential null pointer dereference in task_numa_work()When running stress-ng-vm-segv test, we found a null pointer dereferenceerror in task_numa_work(). Here is the backtrace:  [323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020  ......  [323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se  ......  [323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)  [323676.067115] pc : vma_migratable+0x1c/0xd0  [323676.067122] lr : task_numa_work+0x1ec/0x4e0  [323676.067127] sp : ffff8000ada73d20  [323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010  [323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000  [323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000  [323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8  [323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035  [323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8  [323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4  [323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001  [323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000  [323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000  [323676.067152] Call trace:  [323676.067153]  vma_migratable+0x1c/0xd0  [323676.067155]  task_numa_work+0x1ec/0x4e0  [323676.067157]  task_work_run+0x78/0xd8  [323676.067161]  do_notify_resume+0x1ec/0x290  [323676.067163]  el0_svc+0x150/0x160  [323676.067167]  el0t_64_sync_handler+0xf8/0x128  [323676.067170]  el0t_64_sync+0x17c/0x180  [323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)  [323676.067177] SMP: stopping secondary CPUs  [323676.070184] Starting crashdump kernel...stress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV errorhandling function of the system, which tries to cause a SIGSEGV error onreturn from unmapping the whole address space of the child process.Normally this program will not cause kernel crashes. But before themunmap system call returns to user mode, a potential task_numa_work()for numa balancing could be added and executed. In this scenario, since thechild process has no vma after munmap, the vma_next() in task_numa_work()will return a null pointer even if the vma iterator restarts from 0.Recheck the vma pointer before dereferencing it in task_numa_work().
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-24.03-LTS-SP1(6.6.0):受影响
3.openEuler-20.03-LTS-SP4(4.19.90):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
8.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-24.03-LTS(6.6.0):正常修复
2.openEuler-24.03-LTS-SP1(6.6.0):正常修复
3.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
4.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
5.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
6.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在
7.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-2492

src-openEuler/kernel

Content Risk Flag

Comments (11)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-50223

Comments (11)

Search

src-openEuler/kernel