CVE-2024-35815

fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb
that is not embedded inside struct aio_kiocb. With the current code,
depending on the compiler, the req->ki_ctx read happens either before
the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such
that it is guaranteed that the IOCB_AIO_RW test happens first.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: fs/aio: verifique IOCB_AIO_RW antes de la conversión de struct aio_kiocb. El primer argumento kiocb_set_cancel_fn() puede apuntar a una estructura kiocb que no está incrustada dentro de struct aio_kiocb. Con el código actual, dependiendo del compilador, la lectura req->ki_ctx ocurre antes de la prueba IOCB_AIO_RW o después de esa prueba. Mueva la lectura req->ki_ctx de modo que se garantice que la prueba IOCB_AIO_RW se realice primero.

In the Linux kernel, the following vulnerability has been resolved: fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion The first kiocb_set_cancel_fn() argument may point at a struct kiocb that is not embedded inside struct aio_kiocb. With the current code, depending on the compiler, the req->ki_ctx read happens either before the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such that it is guaranteed that the IOCB_AIO_RW test happens first.

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (17)

URL	Tag	Source
https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f	Vuln. Introduced
https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942	Vuln. Introduced
https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f	Vuln. Introduced
https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353	Vuln. Introduced
https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487	Vuln. Introduced
https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7	Vuln. Introduced
https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3	2024-04-13
https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50	2024-04-13
https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2	2024-04-13
https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410	2024-04-10
https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7	2024-04-03
https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e	2024-04-03
https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596	2024-04-03
https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a	2024-03-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.308 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.308 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.270 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.270 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.211 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.211 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.150 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.150 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.80 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.80 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.19 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.19 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7.7 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7.7 < 6.7.12"		en		Affected