CVE-2024-44965

x86/mm: Fix pti_clone_pgtable() alignment assumption

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11
that had the form of endless traps until entry stack exhaust and then
#DF from the stack guard. It turned out that pti_clone_pgtable() had alignment assumptions on
the start address, notably it hard assumes start is PMD aligned. This
is true on x86_64, but very much not true on i386. These assumptions can cause the end condition to malfunction, leading
to a 'short' clone. Guess what happens when the user mapping has a
short copy of the entry text? Use the correct increment form for addr to avoid alignment
assumptions.

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11 that had the form of endless traps until entry stack exhaust and then #DF from the stack guard. It turned out that pti_clone_pgtable() had alignment assumptions on the start address, notably it hard assumes start is PMD aligned. This is true on x86_64, but very much not true on i386. These assumptions can cause the end condition to malfunction, leading to a 'short' clone. Guess what happens when the user mapping has a short copy of the entry text? Use the correct increment form for addr to avoid alignment assumptions.

It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate certain SMB messages, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service or possibly expose sensitive information. Supraja Sridhara, Benedict SchlÃ¼ter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde discovered that the Confidential Computing framework in the Linux kernel for x86 platforms did not properly handle 32-bit emulation on TDX and SEV. An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-21 CVE Reserved
2024-09-04 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/16a3fe634f6a568c6234b8747e5d50487fed3526	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/18da1b27ce16a14a9b636af9232acb4fb24f4c9e	2024-08-19
https://git.kernel.org/stable/c/25a727233a40a9b33370eec9f0cad67d8fd312f8	2024-08-19
https://git.kernel.org/stable/c/d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6	2024-08-19
https://git.kernel.org/stable/c/4d143ae782009b43b4f366402e5c37f59d4e4346	2024-08-19
https://git.kernel.org/stable/c/5c580c1050bcbc15c3e78090859d798dcf8c9763	2024-08-14
https://git.kernel.org/stable/c/ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed	2024-08-14
https://git.kernel.org/stable/c/df3eecb5496f87263d171b254ca6e2758ab3c35c	2024-08-14
https://git.kernel.org/stable/c/41e71dbb0e0a0fe214545fe64af031303a08524c	2024-08-01

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-44965	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2309796	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 4.19.320 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 4.19.320"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 5.4.282 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 5.4.282"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 5.10.224 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 5.10.224"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 5.15.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 5.15.165"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 6.1.105 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 6.1.105"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 6.6.46 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 6.6.46"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 6.10.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 6.10.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19 < 6.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19 < 6.11"		en		Affected