CVE - CVE-2024-26870

CVE-ID
CVE-2024-26870	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 A call to listxattr() with a buffer size = 0 returns the actual size of the buffer needed for a subsequent call. When size > 0, nfs4_listxattr() does not return an error because either generic_listxattr() or nfs4_listxattr_nfs4_label() consumes exactly all the bytes then size is 0 when calling nfs4_listxattr_nfs4_user() which then triggers the following kernel BUG: [ 99.403778] kernel BUG at mm/usercopy.c:102! [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1 [ 99.415827] Call trace: [ 99.415985] usercopy_abort+0x70/0xa0 [ 99.416227] __check_heap_object+0x134/0x158 [ 99.416505] check_heap_object+0x150/0x188 [ 99.416696] __check_object_size.part.0+0x78/0x168 [ 99.416886] __check_object_size+0x28/0x40 [ 99.417078] listxattr+0x8c/0x120 [ 99.417252] path_listxattr+0x78/0xe0 [ 99.417476] __arm64_sys_listxattr+0x28/0x40 [ 99.417723] invoke_syscall+0x78/0x100 [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0 [ 99.418186] do_el0_svc+0x24/0x38 [ 99.418376] el0_svc+0x3c/0x110 [ 99.418554] el0t_64_sync_handler+0x120/0x130 [ 99.418788] el0t_64_sync+0x194/0x198 [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000) Issue is reproduced when generic_listxattr() returns 'system.nfs4_acl', thus calling lisxattr() with size = 16 will trigger the bug. Add check on nfs4_listxattr() to return ERANGE error when it is called with size > 0 and the return value is greater than size.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb URL:https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb MISC:https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf URL:https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf MISC:https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65 URL:https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65 MISC:https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b URL:https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b MISC:https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768 URL:https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768 MISC:https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf URL:https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf MISC:https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a URL:https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a
Assigning CNA
kernel.org
Date Record Created
20240219	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240219)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)