登录
注册
开源
企业版
高校版
搜索
帮助中心
使用条款
关于我们
开源
企业版
高校版
私有云
模力方舟
登录
注册
代码拉取完成,页面将自动刷新
开源项目
>
其他开源
>
操作系统
&&
捐赠
捐赠前请先登录
取消
前往登录
扫描微信二维码支付
取消
支付完成
支付提示
将跳转至支付宝完成支付
确定
取消
Watch
不关注
关注所有动态
仅关注版本发行动态
关注但不提醒动态
113
Star
72
Fork
321
src-openEuler
/
kernel
代码
Issues
0
Pull Requests
38
Wiki
统计
流水线
服务
JavaDoc
PHPDoc
质量分析
Jenkins for Gitee
腾讯云托管
腾讯云 Serverless
悬镜安全
阿里云 SAE
Codeblitz
SBOM
我知道了,不再自动展开
更新失败,请稍后重试!
移除标识
内容风险标识
本任务被
标识为内容中包含有代码安全 Bug 、隐私泄露等敏感信息,仓库外成员不可访问
CVE-2024-57926
已完成
#IBIQXB
CVE和安全问题
openeuler-ci-bot
拥有者
创建于
2025-01-19 21:35
一、漏洞信息 漏洞编号:[CVE-2024-57926](https://nvd.nist.gov/vuln/detail/CVE-2024-57926) 漏洞归属组件:[kernel](https://gitee.com/src-openeuler/kernel) 漏洞归属的版本:4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0 CVSS V3.0分值: BaseScore:7.8 High Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 漏洞简述: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns errThe pointer need to be set to NULL, otherwise KASAN complains aboutuse-after-free. Because in mtk_drm_bind, all private s drm are setas follows.private->all_drm_private[i]->drm = drm;And drm will be released by drm_dev_put in case mtk_drm_kms_init returnsfailure. However, the shutdown path still accesses the previous allocatedmemory in drm_atomic_helper_shutdown.[ 84.874820] watchdog: watchdog0: watchdog did not stop![ 86.512054] ==================================================================[ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378[ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1[ 86.515213][ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55[ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022[ 86.517960] Call trace:[ 86.518333] show_stack+0x20/0x38 (C)[ 86.518891] dump_stack_lvl+0x90/0xd0[ 86.519443] print_report+0xf8/0x5b0[ 86.519985] kasan_report+0xb4/0x100[ 86.520526] __asan_report_load8_noabort+0x20/0x30[ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378[ 86.521966] mtk_drm_shutdown+0x54/0x80[ 86.522546] platform_shutdown+0x64/0x90[ 86.523137] device_shutdown+0x260/0x5b8[ 86.523728] kernel_restart+0x78/0xf0[ 86.524282] __do_sys_reboot+0x258/0x2f0[ 86.524871] __arm64_sys_reboot+0x90/0xd8[ 86.525473] invoke_syscall+0x74/0x268[ 86.526041] el0_svc_common.constprop.0+0xb0/0x240[ 86.526751] do_el0_svc+0x4c/0x70[ 86.527251] el0_svc+0x4c/0xc0[ 86.527719] el0t_64_sync_handler+0x144/0x168[ 86.528367] el0t_64_sync+0x198/0x1a0[ 86.528920][ 86.529157] The buggy address belongs to the physical page:[ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc[ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)[ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000[ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000[ 86.534511] page dumped because: kasan: bad access detected[ 86.535323][ 86.535559] Memory state around the buggy address:[ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.544733] ^[ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.563928] ==================================================================[ 86.571093] Disabling lock debugging due to kernel taint[ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b[ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]... 漏洞公开时间:2025-01-19 20:15:26 漏洞创建时间:2025-01-19 21:35:55 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2024-57926 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | | | suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-57926 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-57926 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-57926.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2338856 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025011944-CVE-2024-57926-023f@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2338856 | | debian | | https://security-tracker.debian.org/tracker/CVE-2024-57926 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2024-57926 | | mageia | | http://advisories.mageia.org/MGASA-2025-0030.html | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | | nvd | | | | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | | nvd | | | | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | | nvd | | linux_kernel | 6.6.72 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7083b93e9755d60f0c2bcaa9d064308108280534Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | | linux_kernel | 6.12.10 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=078b2ff7da200b7532398e668eef723ad40fb516Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | | linux_kernel | 6.13-rc7 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=36684e9d88a2e2401ae26715a2e217cb4295cea7Please | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | </details> 二、漏洞分析结构反馈 影响性分析说明: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns errThe pointer need to be set to NULL, otherwise KASAN complains aboutuse-after-free. Because in mtk_drm_bind, all private's drm are setas follows.private->all_drm_private[i]->drm = drm;And drm will be released by drm_dev_put in case mtk_drm_kms_init returnsfailure. However, the shutdown path still accesses the previous allocatedmemory in drm_atomic_helper_shutdown.[ 84.874820] watchdog: watchdog0: watchdog did not stop![ 86.512054] ==================================================================[ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378[ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1[ 86.515213][ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55[ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022[ 86.517960] Call trace:[ 86.518333] show_stack+0x20/0x38 (C)[ 86.518891] dump_stack_lvl+0x90/0xd0[ 86.519443] print_report+0xf8/0x5b0[ 86.519985] kasan_report+0xb4/0x100[ 86.520526] __asan_report_load8_noabort+0x20/0x30[ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378[ 86.521966] mtk_drm_shutdown+0x54/0x80[ 86.522546] platform_shutdown+0x64/0x90[ 86.523137] device_shutdown+0x260/0x5b8[ 86.523728] kernel_restart+0x78/0xf0[ 86.524282] __do_sys_reboot+0x258/0x2f0[ 86.524871] __arm64_sys_reboot+0x90/0xd8[ 86.525473] invoke_syscall+0x74/0x268[ 86.526041] el0_svc_common.constprop.0+0xb0/0x240[ 86.526751] do_el0_svc+0x4c/0x70[ 86.527251] el0_svc+0x4c/0xc0[ 86.527719] el0t_64_sync_handler+0x144/0x168[ 86.528367] el0t_64_sync+0x198/0x1a0[ 86.528920][ 86.529157] The buggy address belongs to the physical page:[ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc[ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)[ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000[ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000[ 86.534511] page dumped because: kasan: bad access detected[ 86.535323][ 86.535559] Memory state around the buggy address:[ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.544733] ^[ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.563928] ==================================================================[ 86.571093] Disabling lock debugging due to kernel taint[ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b[ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]...The Linux kernel CVE team has assigned CVE-2024-57926 to this issue. openEuler评分: 7.8 Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 受影响版本排查(受影响/不受影响): 1.openEuler-24.03-LTS(6.6.0):受影响 2.openEuler-24.03-LTS-SP1(6.6.0):受影响 3.master(6.6.0):不受影响 4.openEuler-20.03-LTS-SP4(4.19.90):不受影响 5.openEuler-22.03-LTS-SP3(5.10.0):不受影响 6.openEuler-22.03-LTS-SP4(5.10.0):不受影响 7.openEuler-24.03-LTS-Next(6.6.0):不受影响 修复是否涉及abi变化(是/否): 1.master(6.6.0):否 2.openEuler-20.03-LTS-SP4(4.19.90):否 3.openEuler-22.03-LTS-SP3(5.10.0):否 4.openEuler-22.03-LTS-SP4(5.10.0):否 5.openEuler-24.03-LTS(6.6.0):否 6.openEuler-24.03-LTS-Next(6.6.0):否 7.openEuler-24.03-LTS-SP1(6.6.0):否 原因说明: 1.openEuler-24.03-LTS(6.6.0):正常修复 2.openEuler-24.03-LTS-SP1(6.6.0):正常修复 3.master(6.6.0):不受影响-漏洞代码不能被攻击者触发 4.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发 5.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在 6.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在 7.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在 三、漏洞修复 安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1097
一、漏洞信息 漏洞编号:[CVE-2024-57926](https://nvd.nist.gov/vuln/detail/CVE-2024-57926) 漏洞归属组件:[kernel](https://gitee.com/src-openeuler/kernel) 漏洞归属的版本:4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.1.8,6.4.0,6.6.0 CVSS V3.0分值: BaseScore:7.8 High Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 漏洞简述: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns errThe pointer need to be set to NULL, otherwise KASAN complains aboutuse-after-free. Because in mtk_drm_bind, all private s drm are setas follows.private->all_drm_private[i]->drm = drm;And drm will be released by drm_dev_put in case mtk_drm_kms_init returnsfailure. However, the shutdown path still accesses the previous allocatedmemory in drm_atomic_helper_shutdown.[ 84.874820] watchdog: watchdog0: watchdog did not stop![ 86.512054] ==================================================================[ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378[ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1[ 86.515213][ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55[ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022[ 86.517960] Call trace:[ 86.518333] show_stack+0x20/0x38 (C)[ 86.518891] dump_stack_lvl+0x90/0xd0[ 86.519443] print_report+0xf8/0x5b0[ 86.519985] kasan_report+0xb4/0x100[ 86.520526] __asan_report_load8_noabort+0x20/0x30[ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378[ 86.521966] mtk_drm_shutdown+0x54/0x80[ 86.522546] platform_shutdown+0x64/0x90[ 86.523137] device_shutdown+0x260/0x5b8[ 86.523728] kernel_restart+0x78/0xf0[ 86.524282] __do_sys_reboot+0x258/0x2f0[ 86.524871] __arm64_sys_reboot+0x90/0xd8[ 86.525473] invoke_syscall+0x74/0x268[ 86.526041] el0_svc_common.constprop.0+0xb0/0x240[ 86.526751] do_el0_svc+0x4c/0x70[ 86.527251] el0_svc+0x4c/0xc0[ 86.527719] el0t_64_sync_handler+0x144/0x168[ 86.528367] el0t_64_sync+0x198/0x1a0[ 86.528920][ 86.529157] The buggy address belongs to the physical page:[ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc[ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)[ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000[ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000[ 86.534511] page dumped because: kasan: bad access detected[ 86.535323][ 86.535559] Memory state around the buggy address:[ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.544733] ^[ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.563928] ==================================================================[ 86.571093] Disabling lock debugging due to kernel taint[ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b[ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]... 漏洞公开时间:2025-01-19 20:15:26 漏洞创建时间:2025-01-19 21:35:55 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2024-57926 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | | | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | | | suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-57926 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-57926 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-57926.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2338856 | https://bugzilla.suse.com/show_bug.cgi?id=1236082 | | redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2025011944-CVE-2024-57926-023f@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2338856 | | debian | | https://security-tracker.debian.org/tracker/CVE-2024-57926 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2024-57926 | | mageia | | http://advisories.mageia.org/MGASA-2025-0030.html | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://git.kernel.org/stable/c/078b2ff7da200b7532398e668eef723ad40fb516 | | nvd | | | | https://git.kernel.org/stable/c/36684e9d88a2e2401ae26715a2e217cb4295cea7 | | nvd | | | | https://git.kernel.org/stable/c/7083b93e9755d60f0c2bcaa9d064308108280534 | | nvd | | linux_kernel | 6.6.72 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7083b93e9755d60f0c2bcaa9d064308108280534Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | | linux_kernel | 6.12.10 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=078b2ff7da200b7532398e668eef723ad40fb516Issue | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | | linux_kernel | 6.13-rc7 | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=36684e9d88a2e2401ae26715a2e217cb4295cea7Please | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1ef7ed48356cd5f9af2b7671956991b658d8c2ba | linuxkernelcves | </details> 二、漏洞分析结构反馈 影响性分析说明: In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns errThe pointer need to be set to NULL, otherwise KASAN complains aboutuse-after-free. Because in mtk_drm_bind, all private's drm are setas follows.private->all_drm_private[i]->drm = drm;And drm will be released by drm_dev_put in case mtk_drm_kms_init returnsfailure. However, the shutdown path still accesses the previous allocatedmemory in drm_atomic_helper_shutdown.[ 84.874820] watchdog: watchdog0: watchdog did not stop![ 86.512054] ==================================================================[ 86.513162] BUG: KASAN: use-after-free in drm_atomic_helper_shutdown+0x33c/0x378[ 86.514258] Read of size 8 at addr ffff0000d46fc068 by task shutdown/1[ 86.515213][ 86.515455] CPU: 1 UID: 0 PID: 1 Comm: shutdown Not tainted 6.13.0-rc1-mtk+gfa1a78e5d24b-dirty #55[ 86.516752] Hardware name: Unknown Product/Unknown Product, BIOS 2022.10 10/01/2022[ 86.517960] Call trace:[ 86.518333] show_stack+0x20/0x38 (C)[ 86.518891] dump_stack_lvl+0x90/0xd0[ 86.519443] print_report+0xf8/0x5b0[ 86.519985] kasan_report+0xb4/0x100[ 86.520526] __asan_report_load8_noabort+0x20/0x30[ 86.521240] drm_atomic_helper_shutdown+0x33c/0x378[ 86.521966] mtk_drm_shutdown+0x54/0x80[ 86.522546] platform_shutdown+0x64/0x90[ 86.523137] device_shutdown+0x260/0x5b8[ 86.523728] kernel_restart+0x78/0xf0[ 86.524282] __do_sys_reboot+0x258/0x2f0[ 86.524871] __arm64_sys_reboot+0x90/0xd8[ 86.525473] invoke_syscall+0x74/0x268[ 86.526041] el0_svc_common.constprop.0+0xb0/0x240[ 86.526751] do_el0_svc+0x4c/0x70[ 86.527251] el0_svc+0x4c/0xc0[ 86.527719] el0t_64_sync_handler+0x144/0x168[ 86.528367] el0t_64_sync+0x198/0x1a0[ 86.528920][ 86.529157] The buggy address belongs to the physical page:[ 86.529972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d46fd4d0 pfn:0x1146fc[ 86.531319] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)[ 86.532267] raw: 0bfffc0000000000 0000000000000000 dead000000000122 0000000000000000[ 86.533390] raw: ffff0000d46fd4d0 0000000000000000 00000000ffffffff 0000000000000000[ 86.534511] page dumped because: kasan: bad access detected[ 86.535323][ 86.535559] Memory state around the buggy address:[ 86.536265] ffff0000d46fbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.537314] ffff0000d46fbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.538363] >ffff0000d46fc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.544733] ^[ 86.551057] ffff0000d46fc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.557510] ffff0000d46fc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff[ 86.563928] ==================================================================[ 86.571093] Disabling lock debugging due to kernel taint[ 86.577642] Unable to handle kernel paging request at virtual address e0e9c0920000000b[ 86.581834] KASAN: maybe wild-memory-access in range [0x0752049000000058-0x075204900000005f]...The Linux kernel CVE team has assigned CVE-2024-57926 to this issue. openEuler评分: 7.8 Vector:CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 受影响版本排查(受影响/不受影响): 1.openEuler-24.03-LTS(6.6.0):受影响 2.openEuler-24.03-LTS-SP1(6.6.0):受影响 3.master(6.6.0):不受影响 4.openEuler-20.03-LTS-SP4(4.19.90):不受影响 5.openEuler-22.03-LTS-SP3(5.10.0):不受影响 6.openEuler-22.03-LTS-SP4(5.10.0):不受影响 7.openEuler-24.03-LTS-Next(6.6.0):不受影响 修复是否涉及abi变化(是/否): 1.master(6.6.0):否 2.openEuler-20.03-LTS-SP4(4.19.90):否 3.openEuler-22.03-LTS-SP3(5.10.0):否 4.openEuler-22.03-LTS-SP4(5.10.0):否 5.openEuler-24.03-LTS(6.6.0):否 6.openEuler-24.03-LTS-Next(6.6.0):否 7.openEuler-24.03-LTS-SP1(6.6.0):否 原因说明: 1.openEuler-24.03-LTS(6.6.0):正常修复 2.openEuler-24.03-LTS-SP1(6.6.0):正常修复 3.master(6.6.0):不受影响-漏洞代码不能被攻击者触发 4.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发 5.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在 6.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在 7.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在 三、漏洞修复 安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1097
评论 (
8
)
登录
后才可以发表评论
状态
已完成
待办的
已挂起
进行中
已完成
已拒绝
负责人
未设置
sanglipeng
sanglipeng
负责人
协作者
+负责人
+协作者
标签
sig/Kernel
CVE/FIXED
未设置
项目
未立项任务
未立项任务
里程碑
未关联里程碑
未关联里程碑
Pull Requests
未关联
未关联
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
未关联
分支 (38)
标签 (265)
master
openEuler-24.03-LTS-SP3
openEuler-24.03-LTS-SP1
openEuler-20.03-LTS-SP4
openEuler-24.03-LTS-SP2
openEuler-24.03-LTS
openEuler-22.03-LTS-SP3
openEuler-22.03-LTS-SP4
openEuler-25.09
openEuler-24.03-LTS-Next
openEuler-25.03
openEuler-22.03-LTS-SP2
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP4-64KB
openEuler-24.09
openEuler-22.03-LTS-Next
openEuler-24.03-LTS-Loongarch
openEuler-22.03-LTS
openEuler-20.03-LTS-SP1
sync-pr1519-openEuler-24.03-LTS-to-openEuler-24.03-LTS-Next
sync-pr1486-master-to-openEuler-24.03-LTS-Next
loongarch-support
openEuler-20.03-LTS-SP3
sync-pr1314-openEuler-22.03-LTS-SP3-to-openEuler-22.03-LTS-Next
openEuler-23.09
openEuler-23.03
openEuler-22.03-LTS-LoongArch
openEuler-22.09
openEuler-22.09-HeXin
openEuler-20.03-LTS-SP2
openEuler-21.09
openEuler-20.03-LTS
openEuler-20.03-LTS-Next
openEuler-21.03
openEuler-20.09
openEuler-20.03-LTS-SP1-testing
openEuler1.0
openEuler1.0-base
openEuler-20.03-LTS-SP4-update-20251017
openEuler-22.03-LTS-SP3-update-20251017
openEuler-24.03-LTS-update-20251017
openEuler-24.03-LTS-SP1-update-20251017
openEuler-24.03-LTS-SP2-update-20251017
openEuler-22.03-LTS-SP4-update-20251017
openEuler-20.03-LTS-SP4-update-20251011
openEuler-22.03-LTS-SP4-update-20251011
openEuler-22.03-LTS-SP3-update-20251011
openEuler-24.03-LTS-update-20250929
openEuler-25.09-release
openEuler-20.03-LTS-SP4-update-20250926
openEuler-24.03-LTS-update-20250926
openEuler-22.03-LTS-SP3-update-20250926
openEuler-22.03-LTS-SP4-update-20250926
openEuler-24.03-LTS-SP1-update-20250926
openEuler-24.03-LTS-SP2-update-20250926
openEuler-20.03-LTS-SP4-update-20250919
openEuler-22.03-LTS-SP3-update-20250919
openEuler-24.03-LTS-update-20250919
openEuler-22.03-LTS-SP4-update-20250919
openEuler-24.03-LTS-SP1-update-20250919
openEuler-24.03-LTS-SP2-update-20250919
openEuler-20.03-LTS-SP4-update-20250912
openEuler-22.03-LTS-SP3-update-20250912
openEuler-22.03-LTS-SP4-update-20250912
openEuler-24.03-LTS-update-20250912
openEuler-24.03-LTS-SP1-update-20250912
openEuler-24.03-LTS-SP2-update-20250912
openEuler-24.03-LTS-SP1-update-20250911
openEuler-24.03-LTS-update-20250905
openEuler-20.03-LTS-SP4-update-20250905
openEuler-22.03-LTS-SP3-update-20250905
openEuler-22.03-LTS-SP4-update-20250905
openEuler-24.03-LTS-SP1-update-20250905
openEuler-24.03-LTS-SP2-update-20250905
openEuler-20.03-LTS-SP4-update-20250829
openEuler-22.03-LTS-SP4-update-20250829
openEuler-24.03-LTS-SP1-update-20250829
openEuler-24.03-LTS-update-20250829
openEuler-24.03-LTS-SP2-update-20250829
openEuler-22.03-LTS-SP3-update-20250822
openEuler-22.03-LTS-SP4-update-20250822
openEuler-24.03-LTS-update-20250822
openEuler-24.03-LTS-SP1-update-20250822
openEuler-24.03-LTS-SP2-update-20250822
openEuler-22.03-LTS-SP4-update-20250815
openEuler-22.03-LTS-SP3-update-20250815
openEuler-24.03-LTS-SP2-update-20250815
openEuler-20.03-LTS-SP4-update-20250815
openEuler-24.03-LTS-update-20250815
openEuler-24.03-LTS-SP1-update-20250815
openEuler-20.03-LTS-SP4-update-20250808
openEuler-22.03-LTS-SP3-update-20250808
openEuler-22.03-LTS-SP4-update-20250808
openEuler-24.03-LTS-update-20250808
openEuler-24.03-LTS-SP1-update-20250808
openEuler-24.03-LTS-SP2-update-20250808
openEuler-22.03-LTS-SP3-update-20250801
openEuler-22.03-LTS-SP4-update-20250801
openEuler-24.03-LTS-update-20250801
openEuler-24.03-LTS-SP1-update-20250801
openEuler-24.03-LTS-SP2-update-20250801
openEuler-20.03-LTS-SP4-update-20250725
openEuler-22.03-LTS-SP3-update-20250725
openEuler-22.03-LTS-SP4-update-20250725
openEuler-24.03-LTS-update-20250725
openEuler-24.03-LTS-SP1-update-20250725
openEuler-24.03-LTS-SP2-update-20250725
openEuler-20.03-LTS-SP4-update-20250718
openEuler-22.03-LTS-SP3-update-20250718
openEuler-22.03-LTS-SP4-update-20250718
openEuler-24.03-LTS-update-20250718
openEuler-24.03-LTS-SP1-update-20250718
openEuler-24.03-LTS-SP2-update-20250718
openEuler-20.03-LTS-SP4-update-20250711
openEuler-22.03-LTS-SP3-update-20250711
openEuler-22.03-LTS-SP4-update-20250711
openEuler-24.03-LTS-update-20250711
openEuler-24.03-LTS-SP1-update-20250711
openEuler-20.03-LTS-SP4-update-20250704
openEuler-22.03-LTS-SP3-update-20250704
openEuler-22.03-LTS-SP4-update-20250704
openEuler-24.03-LTS-update-20250704
openEuler-24.03-LTS-SP1-update-20250704
openEuler-20.03-LTS-SP4-update-20250627
openEuler-22.03-LTS-SP3-update-20250627
openEuler-22.03-LTS-SP4-update-20250627
openEuler-20.03-LTS-SP4-update-20250620
openEuler-22.03-LTS-SP3-update-20250620
openEuler-22.03-LTS-SP4-update-20250620
openEuler-24.03-LTS-update-20250620
openEuler-24.03-LTS-SP1-update-20250620
openEuler-24.03-LTS-SP2-release
openEuler-20.03-LTS-SP4-update-20250613
openEuler-22.03-LTS-SP3-update-20250613
openEuler-22.03-LTS-SP4-update-20250613
openEuler-24.03-LTS-update-20250613
openEuler-24.03-LTS-SP1-update-20250613
openEuler-20.03-LTS-SP4-update-20250606
openEuler-22.03-LTS-SP3-update-20250606
openEuler-22.03-LTS-SP4-update-20250606
openEuler-24.03-LTS-update-20250606
openEuler-24.03-LTS-SP1-update-20250606
openEuler-20.03-LTS-SP4-update-20250530
openEuler-22.03-LTS-SP3-update-20250530
openEuler-22.03-LTS-SP4-update-20250530
openEuler-24.03-LTS-update-20250530
openEuler-24.03-LTS-SP1-update-20250530
openEuler-20.03-LTS-SP4-update-20250523
openEuler-24.03-LTS-update-20250523
openEuler-24.03-LTS-SP1-update-20250523
openEuler-24.03-LTS-SP1-update-20250516
openEuler-24.03-LTS-update-20250516
openEuler-22.03-LTS-SP4-update-20250516
openEuler-22.03-LTS-SP3-update-20250516
openEuler-20.03-LTS-SP4-update-20250516
openEuler-24.03-LTS-SP1-update-20250509
openEuler-24.03-LTS-update-20250509
openEuler-22.03-LTS-SP4-update-20250509
openEuler-22.03-LTS-SP3-update-20250509
openEuler-20.03-LTS-SP4-update-20250509
openEuler-24.03-LTS-update-20250425
openEuler-22.03-LTS-SP3-update-20250425
openEuler-24.03-LTS-SP1-update-20250425
openEuler-24.03-LTS-SP1-update-20250428
openEuler-22.03-LTS-SP4-update-20250425
openEuler-20.03-LTS-SP4-update-20250425
openEuler-22.03-LTS-SP3-update-20250418
openEuler-22.03-LTS-SP4-update-20250418
openEuler-20.03-LTS-SP4-update-20250418
openEuler-22.03-LTS-SP3-update-20250411
openEuler-22.03-LTS-SP4-update-20250411
openEuler-20.03-LTS-SP4-update-20250411
openEuler-20.03-LTS-SP4-update-20250403
openEuler-24.03-LTS-SP1-update-20250403
openEuler-24.03-LTS-update-20250403
openEuler-25.03-release
openEuler-20.03-LTS-SP4-update-20250329
openEuler-22.03-LTS-SP4-update-20250329
openEuler-22.03-LTS-SP3-update-20250329
openEuler-24.03-LTS-SP1-update-20250329
openEuler-24.03-LTS-update-20250329
openEuler-24.03-LTS-update-20250321
openEuler-24.03-LTS-SP1-update-20250321
openEuler-20.03-LTS-SP4-update-20250321
openEuler-24.03-LTS-update-20250314
openEuler-24.03-LTS-SP1-update-20250314
openEuler-22.03-LTS-SP3-update-20250314
openEuler-22.03-LTS-SP4-update-20250314
openEuler-20.03-LTS-SP4-update-20250314
openEuler-24.03-LTS-update-20250307
openEuler-24.03-LTS-SP1-update-20250307
openEuler-22.03-LTS-SP3-update-20250307
openEuler-22.03-LTS-SP4-update-20250307
openEuler-20.03-LTS-SP4-update-20250307
openEuler-24.03-LTS-update-20250228
openEuler-24.03-LTS-SP1-update-20250228
openEuler-22.03-LTS-SP3-update-20250228
openEuler-22.03-LTS-SP4-update-20250228
openEuler-20.03-LTS-SP4-update-20250228
openEuler-24.03-LTS-SP1-update-20250221
openEuler-24.03-LTS-update-20250221
openEuler-22.03-LTS-SP4-update-20250221
openEuler-22.03-LTS-SP3-update-20250221
openEuler-20.03-LTS-SP4-update-20250221
openEuler-24.03-LTS-update-20250214
openEuler-24.03-LTS-SP1-update-20250214
openEuler-22.03-LTS-SP4-update-20250214
openEuler-22.03-LTS-SP3-update-20250214
openEuler-20.03-LTS-SP4-update-20250214
openEuler-24.03-LTS-update-20250208
openEuler-20.03-LTS-SP4-update-20250208
openEuler-22.03-LTS-SP3-update-20250208
openEuler-22.03-LTS-SP4-update-20250208
openEuler-24.03-LTS-SP1-update-20250208
openEuler-24.03-LTS-SP1-update-20250124
openEuler-22.03-LTS-SP4-update-20250124
openEuler-22.03-LTS-SP3-update-20250124
openEuler-20.03-LTS-SP4-update-20250124
openEuler-24.03-LTS-update-20250124
openEuler-22.03-LTS-SP3-update-20250117
openEuler-22.03-LTS-SP4-update-20250117
openEuler-20.03-LTS-SP4-update-20250117
openEuler-24.03-LTS-update-20250110
openEuler-24.03-LTS-SP1-update-20250110
openEuler-22.03-LTS-SP1-update-20250110
openEuler-22.03-LTS-SP3-update-20250110
openEuler-20.03-LTS-SP4-update-20250110
openEuler-22.03-LTS-SP4-update-20250110
openEuler-22.03-LTS-SP4-update-20250103
openEuler-22.03-LTS-SP3-update-20250103
openEuler-22.03-LTS-SP1-update-20250103
openEuler-20.03-LTS-SP4-update-20250103
openEuler-24.03-LTS-SP1-release
openEuler-24.03-LTS-update-20241227
openEuler-22.03-LTS-SP3-update-20241227
openEuler-22.03-LTS-SP4-update-20241227
openEuler-20.03-LTS-SP4-update-20241227
openEuler-22.03-LTS-SP4-update-20241220
openEuler-22.03-LTS-SP3-update-20241220
openEuler-20.03-LTS-SP4-update-20241220
openEuler-24.03-LTS-update-20241213
openEuler-22.03-LTS-SP4-update-20241213
openEuler-22.03-LTS-SP3-update-20241213
openEuler-22.03-LTS-SP1-update-20241213
openEuler-20.03-LTS-SP4-update-20241213
openEuler-24.03-LTS-update-20241206
openEuler-22.03-LTS-SP4-update-20241206
openEuler-22.03-LTS-SP3-update-20241206
openEuler-22.03-LTS-SP1-update-20241206
openEuler-20.03-LTS-SP4-update-20241206
openEuler-20.03-LTS-SP4-update-20241129
openEuler-22.03-LTS-SP1-update-20241129
openEuler-22.03-LTS-SP3-update-20241129
openEuler-22.03-LTS-SP4-update-20241129
openEuler-24.03-LTS-update-20241129
openEuler-24.03-LTS-update-20241122
openEuler-22.03-LTS-SP4-update-20241122
openEuler-22.03-LTS-SP3-update-20241122
openEuler-22.03-LTS-SP1-update-20241122
openEuler-20.03-LTS-SP4-update-20241122
openEuler-20.03-LTS-SP4-update-20241115
openEuler-22.03-LTS-SP1-update-20241115
openEuler-22.03-LTS-SP3-update-20241115
openEuler-22.03-LTS-SP4-update-20241115
openEuler-24.03-LTS-update-20241115
openEuler-24.03-LTS-update-20241108
openEuler-22.03-LTS-SP4-update-20241108
openEuler-22.03-LTS-SP3-update-20241108
openEuler-22.03-LTS-SP1-update-20241108
openEuler-20.03-LTS-SP4-update-20241108
openEuler-22.03-LTS-SP4-update-before-20241025
openEuler-22.03-LTS-SP4-before-20241025
openEuler-24.03-LTS-update-before-20241025
openEuler-20.03-LTS-SP4-update-20241101
openEuler-22.03-LTS-SP1-update-20241101
openEuler-22.03-LTS-SP3-update-20241101
openEuler-22.03-LTS-SP4-update-20241101
openEuler-24.03-LTS-update-20241101
openEuler-20.03-LTS-SP4-update-20241025
openEuler-22.03-LTS-SP1-update-20241025
openEuler-22.03-LTS-SP3-update-20241025
openEuler-22.03-LTS-SP4-update-20241025
openEuler-24.03-LTS-update-20241025
openEuler-22.03-LTS-SP4-release
openEuler-24.09-release
openEuler-24.03-LTS-release
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-20.03-LTS-SP3-release
openEuler-20.03-LTS-SP2-20210624
openEuler-21.03-20210330
openEuler-20.09-20200929
openEuler-20.03-LTS-20200606
openEuler-20.03-LTS-tag
开始日期 - 截止日期
-
置顶选项
不置顶
置顶等级:高
置顶等级:中
置顶等级:低
优先级
不指定
严重
主要
次要
不重要
预计工期
(小时)
参与者(1)
1
https://gitee.com/src-openeuler/kernel.git
git@gitee.com:src-openeuler/kernel.git
src-openeuler
kernel
kernel
点此查找更多帮助
搜索帮助
Git 命令在线学习
如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部
登录提示
该操作需登录 Gitee 帐号,请先登录后再操作。
立即登录
没有帐号,去注册
