CVE-2024-35985

sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf()

It was possible to have pick_eevdf() return NULL, which then causes a
NULL-deref. This turned out to be due to entity_eligible() returning
falsely negative because of a s64 multiplcation overflow.

Specifically, reweight_eevdf() computes the vlag without considering
the limit placed upon vlag as update_entity_lag() does, and then the
scaling multiplication (remember that weight is 20bit fixed point) can
overflow. This then leads to the new vruntime being weird which then
causes the above entity_eligible() to go side-ways and claim nothing
is eligible.

Thus limit the range of vlag accordingly.

All this was quite rare, but fatal when it does happen.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: sched/eevdf: evita que vlag se salga de los límites en reweight_eevdf(). Era posible que pick_eevdf() devolviera NULL, lo que luego causa un NULL-deref. Esto resultó ser debido a que entidad_eligible() devolvió un resultado falso negativo debido a un desbordamiento de multiplicación s64. Específicamente, reweight_eevdf() calcula el vlag sin considerar el límite impuesto a vlag como lo hace update_entity_lag(), y luego la multiplicación de escala (recuerde que el peso es un punto fijo de 20 bits) puede desbordarse. Esto luego lleva a que el nuevo vruntime sea extraño, lo que luego hace que la entidad_eligible() anterior se desvíe y afirme que nada es elegible. Por lo tanto, limite el rango de vlag en consecuencia. Todo esto fue bastante raro, pero fatal cuando sucede.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/14204acc09f652169baed1141c671429047b1313	Vuln. Introduced
https://git.kernel.org/stable/c/eab03c23c2a162085b13200d7942fc5a00b5ccc8	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/470d347b14b0ecffa9b39cf8f644fa2351db3efb	2024-05-02
https://git.kernel.org/stable/c/06f27e6d7bf0abf54488259ef36bbf0e1fccb35c	2024-05-02
https://git.kernel.org/stable/c/1560d1f6eb6b398bddd80c16676776c0325fe5fe	2024-04-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.4 < 6.6.30 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.4 < 6.6.30"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.8.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.9"		en		Affected