CVE-2024-57930 (GCVE-0-2024-57930)
Vulnerability from cvelistv5
Published
2025-01-21 12:01
Modified
2025-05-04 10:06
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tracing: Have process_string() also allow arrays In order to catch a common bug where a TRACE_EVENT() TP_fast_assign() assigns an address of an allocated string to the ring buffer and then references it in TP_printk(), which can be executed hours later when the string is free, the function test_event_printk() runs on all events as they are registered to make sure there's no unwanted dereferencing. It calls process_string() to handle cases in TP_printk() format that has "%s". It returns whether or not the string is safe. But it can have some false positives. For instance, xe_bo_move() has: TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, xe_mem_type_to_name[__entry->old_placement], xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) Where the "%s" references into xe_mem_type_to_name[]. This is an array of pointers that should be safe for the event to access. Instead of flagging this as a bad reference, if a reference points to an array, where the record field is the index, consider it safe.
References
Impacted products
Vendor Product Version
Linux Linux Version: 85d7635d54d75a2589f28583dc17feedc3aa4ad6
Version: f3ff759ec636b4094b8eb2c3801e4e6c97a6b712
Version: 2f6ad0b613cd45cca48e6eb04f65351db018afb0
Version: 683eccacc02d2eb25d1c34b8fb0363fcc7e08f64
Version: 65a25d9f7ac02e0cf361356e834d1c71d36acca9
 Create a notification for this product.
   Linux Linux Version: 6.1.122   
Version: 6.6.68   
Version: 6.12.7   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_events.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3bcdc9039a6e9e6e47ed689a37b8d57894a3c571",
              "status": "affected",
              "version": "85d7635d54d75a2589f28583dc17feedc3aa4ad6",
              "versionType": "git"
            },
            {
              "lessThan": "631b1e09e213c86d5a4ce23d45c81af473bb0ac7",
              "status": "affected",
              "version": "f3ff759ec636b4094b8eb2c3801e4e6c97a6b712",
              "versionType": "git"
            },
            {
              "lessThan": "a64e5295ebc4afdefe69cdf16cc286a60ff8ba4b",
              "status": "affected",
              "version": "2f6ad0b613cd45cca48e6eb04f65351db018afb0",
              "versionType": "git"
            },
            {
              "lessThan": "92bd18c74624e5eb9f96e70076aa46293f4b626f",
              "status": "affected",
              "version": "683eccacc02d2eb25d1c34b8fb0363fcc7e08f64",
              "versionType": "git"
            },
            {
              "lessThan": "afc6717628f959941d7b33728570568b4af1c4b8",
              "status": "affected",
              "version": "65a25d9f7ac02e0cf361356e834d1c71d36acca9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_events.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.1.124",
              "status": "affected",
              "version": "6.1.122",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.70",
              "status": "affected",
              "version": "6.6.68",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.9",
              "status": "affected",
              "version": "6.12.7",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.124",
                  "versionStartIncluding": "6.1.122",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.9",
                  "versionStartIncluding": "6.12.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have process_string() also allow arrays\n\nIn order to catch a common bug where a TRACE_EVENT() TP_fast_assign()\nassigns an address of an allocated string to the ring buffer and then\nreferences it in TP_printk(), which can be executed hours later when the\nstring is free, the function test_event_printk() runs on all events as\nthey are registered to make sure there\u0027s no unwanted dereferencing.\n\nIt calls process_string() to handle cases in TP_printk() format that has\n\"%s\". It returns whether or not the string is safe. But it can have some\nfalse positives.\n\nFor instance, xe_bo_move() has:\n\n TP_printk(\"move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s\",\n            __entry-\u003emove_lacks_source ? \"yes\" : \"no\", __entry-\u003ebo, __entry-\u003esize,\n            xe_mem_type_to_name[__entry-\u003eold_placement],\n            xe_mem_type_to_name[__entry-\u003enew_placement], __get_str(device_id))\n\nWhere the \"%s\" references into xe_mem_type_to_name[]. This is an array of\npointers that should be safe for the event to access. Instead of flagging\nthis as a bad reference, if a reference points to an array, where the\nrecord field is the index, consider it safe."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:06:53.594Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3bcdc9039a6e9e6e47ed689a37b8d57894a3c571"
        },
        {
          "url": "https://git.kernel.org/stable/c/631b1e09e213c86d5a4ce23d45c81af473bb0ac7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a64e5295ebc4afdefe69cdf16cc286a60ff8ba4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/92bd18c74624e5eb9f96e70076aa46293f4b626f"
        },
        {
          "url": "https://git.kernel.org/stable/c/afc6717628f959941d7b33728570568b4af1c4b8"
        }
      ],
      "title": "tracing: Have process_string() also allow arrays",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57930",
    "datePublished": "2025-01-21T12:01:27.807Z",
    "dateReserved": "2025-01-19T11:50:08.376Z",
    "dateUpdated": "2025-05-04T10:06:53.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57930\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-21T12:15:26.600\",\"lastModified\":\"2025-01-21T12:15:26.600\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have process_string() also allow arrays\\n\\nIn order to catch a common bug where a TRACE_EVENT() TP_fast_assign()\\nassigns an address of an allocated string to the ring buffer and then\\nreferences it in TP_printk(), which can be executed hours later when the\\nstring is free, the function test_event_printk() runs on all events as\\nthey are registered to make sure there\u0027s no unwanted dereferencing.\\n\\nIt calls process_string() to handle cases in TP_printk() format that has\\n\\\"%s\\\". It returns whether or not the string is safe. But it can have some\\nfalse positives.\\n\\nFor instance, xe_bo_move() has:\\n\\n TP_printk(\\\"move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s\\\",\\n            __entry-\u003emove_lacks_source ? \\\"yes\\\" : \\\"no\\\", __entry-\u003ebo, __entry-\u003esize,\\n            xe_mem_type_to_name[__entry-\u003eold_placement],\\n            xe_mem_type_to_name[__entry-\u003enew_placement], __get_str(device_id))\\n\\nWhere the \\\"%s\\\" references into xe_mem_type_to_name[]. This is an array of\\npointers that should be safe for the event to access. Instead of flagging\\nthis as a bad reference, if a reference points to an array, where the\\nrecord field is the index, consider it safe.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tracing: Hacer que process_string() tambi\u00e9n permita matrices Para detectar un error com\u00fan en el que un TP_fast_assign() de TRACE_EVENT() asigna una direcci\u00f3n de una cadena asignada al b\u00fafer de anillo y luego la referencia en TP_printk(), que se puede ejecutar horas despu\u00e9s cuando la cadena est\u00e1 libre, la funci\u00f3n test_event_printk() se ejecuta en todos los eventos a medida que se registran para asegurarse de que no haya desreferenciaciones no deseadas. Llama a process_string() para gestionar los casos en formato TP_printk() que tienen \\\"%s\\\". Devuelve si la cadena es segura o no. Pero puede tener algunos falsos positivos. Por ejemplo, xe_bo_move() tiene: TP_printk(\\\"move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s\\\", __entry-\u0026gt;move_lacks_source ? \\\"yes\\\" : \\\"no\\\", __entry-\u0026gt;bo, __entry-\u0026gt;size, xe_mem_type_to_name[__entry-\u0026gt;old_placement], xe_mem_type_to_name[__entry-\u0026gt;new_placement], __get_str(device_id)) Where the \\\"%s\\\" Donde \\\"%s\\\" hace referencia a xe_mem_type_to_name[]. Esta es una matriz de punteros a los que el evento deber\u00eda poder acceder de forma segura. En lugar de marcar esto como una referencia incorrecta, si una referencia apunta a una matriz, donde el campo de registro es el \u00edndice, consid\u00e9rela segura.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3bcdc9039a6e9e6e47ed689a37b8d57894a3c571\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/631b1e09e213c86d5a4ce23d45c81af473bb0ac7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/92bd18c74624e5eb9f96e70076aa46293f4b626f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a64e5295ebc4afdefe69cdf16cc286a60ff8ba4b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/afc6717628f959941d7b33728570568b4af1c4b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.