CVE-2024-36891

maple_tree: fix mas_empty_area_rev() null pointer dereference

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix mas_empty_area_rev() null pointer dereference Currently the code calls mas_start() followed by mas_data_end() if the
maple state is MA_START, but mas_start() may return with the maple state
node == NULL. This will lead to a null pointer dereference when checking
information in the NULL node, which is done in mas_data_end(). Avoid setting the offset if there is no node by waiting until after the
maple state is checked for an empty or single entry state. A user could trigger the events to cause a kernel oops by unmapping all
vmas to produce an empty maple tree, then mapping a vma that would cause
the scenario described above.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: maple_tree: corrige la desreferencia del puntero nulo mas_empty_area_rev() Actualmente el código llama a mas_start() seguido de mas_data_end() si el estado del arce es MA_START, pero mas_start() puede regresar con el estado del arce nodo == NULL. Esto dará lugar a una desreferencia del puntero nulo al verificar la información en el nodo NULL, lo cual se realiza en mas_data_end(). Evite establecer el desplazamiento si no hay ningún nodo esperando hasta que se verifique el estado del arce para detectar un estado vacío o de entrada única. Un usuario podría desencadenar los eventos para causar un kernel ups al desasignar todos los vmas para producir un árbol de arce vacío y luego mapear un vma que causaría el escenario descrito anteriormente.

In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix mas_empty_area_rev() null pointer dereference Currently the code calls mas_start() followed by mas_data_end() if the maple state is MA_START, but mas_start() may return with the maple state node == NULL. This will lead to a null pointer dereference when checking information in the NULL node, which is done in mas_data_end(). Avoid setting the offset if there is no node by waiting until after the maple state is checked for an empty or single entry state. A user could trigger the events to cause a kernel oops by unmapping all vmas to produce an empty maple tree, then mapping a vma that would cause the scenario described above.

Benedict SchlÃ¼ter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-30 CVE Reserved
2024-05-30 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/54a611b605901c7d5d05b6b8f5d04a6ceb0962aa	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/883e5d542bbdddbddeba60250cb482baf3ae2415	2024-06-16
https://git.kernel.org/stable/c/6c9c7c1e63b198a8b979ad963eb21410f10ccb00	2024-05-17
https://git.kernel.org/stable/c/f3956791cf526540addd3295e4c1e0f0442486cc	2024-05-17
https://git.kernel.org/stable/c/955a923d2809803980ff574270f81510112be9cf	2024-05-06

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-36891	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2284567	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.94 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.94"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.31"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.8.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.9"		en		Affected