We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53097

mm: krealloc: Fix MTE false alarm in __do_krealloc



Description

In the Linux kernel, the following vulnerability has been resolved: mm: krealloc: Fix MTE false alarm in __do_krealloc This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: krealloc: consider spare memory for __GFP_ZERO") which causes MTE (Memory Tagging Extension) to falsely report a slab-out-of-bounds error. The problem occurs when zeroing out spare memory in __do_krealloc. The original code only considered software-based KASAN and did not account for MTE. It does not reset the KASAN tag before calling memset, leading to a mismatch between the pointer tag and the memory tag, resulting in a false positive. Example of the error: ================================================================== swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 swapper/0: Pointer tag: [f4], memory tag: [fe] swapper/0: swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. swapper/0: Hardware name: MT6991(ENG) (DT) swapper/0: Call trace: swapper/0: dump_backtrace+0xfc/0x17c swapper/0: show_stack+0x18/0x28 swapper/0: dump_stack_lvl+0x40/0xa0 swapper/0: print_report+0x1b8/0x71c swapper/0: kasan_report+0xec/0x14c swapper/0: __do_kernel_fault+0x60/0x29c swapper/0: do_bad_area+0x30/0xdc swapper/0: do_tag_check_fault+0x20/0x34 swapper/0: do_mem_abort+0x58/0x104 swapper/0: el1_abort+0x3c/0x5c swapper/0: el1h_64_sync_handler+0x80/0xcc swapper/0: el1h_64_sync+0x68/0x6c swapper/0: __memset+0x84/0x188 swapper/0: btf_populate_kfunc_set+0x280/0x3d8 swapper/0: __register_btf_kfunc_id_set+0x43c/0x468 swapper/0: register_btf_kfunc_id_set+0x48/0x60 swapper/0: register_nf_nat_bpf+0x1c/0x40 swapper/0: nf_nat_init+0xc0/0x128 swapper/0: do_one_initcall+0x184/0x464 swapper/0: do_initcall_level+0xdc/0x1b0 swapper/0: do_initcalls+0x70/0xc0 swapper/0: do_basic_setup+0x1c/0x28 swapper/0: kernel_init_freeable+0x144/0x1b8 swapper/0: kernel_init+0x20/0x1a8 swapper/0: ret_from_fork+0x10/0x20 ==================================================================

Reserved 2024-11-19 | Published 2024-11-25 | Updated 2024-11-25 | Assigner Linux

Product status

Default status
unaffected

c383263ee82a before 8ebee7565eff
affected

a54378585624 before d02492863023
affected

44f79667fefd before d43f1430d47c
affected

f8767d10bcbc before 486aeb5f1855
affected

e3a9fc1520a6 before 71548fada7ee
affected

3e9a65a38706 before 3dfb40da84f2
affected

1a83a716ec23 before 704573851b51
affected

Default status
unaffected

5.10.227 before 5.10.230
affected

5.15.168 before 5.15.173
affected

6.1.113 before 6.1.118
affected

6.6.55 before 6.6.62
affected

6.11.3 before 6.11.9
affected

References

git.kernel.org/...c/8ebee7565effdeae6085458f8f8463363120a871

git.kernel.org/...c/d02492863023431c31f85d570f718433c22b9311

git.kernel.org/...c/d43f1430d47c22a0727c05b6f156ed25fecdfeb4

git.kernel.org/...c/486aeb5f1855c75dd810c25036134961bd2a6722

git.kernel.org/...c/71548fada7ee0eb50cc6ccda82dff010c745f92c

git.kernel.org/...c/3dfb40da84f26dd35dd9bbaf626a2424565b8406

git.kernel.org/...c/704573851b51808b45dae2d62059d1d8189138a2

cve.org (CVE-2024-53097)

nvd.nist.gov (CVE-2024-53097)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53097

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.