Executive Summary

Informations
Name CVE-2024-41096 First vendor Publication 2024-07-29
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

In the Linux kernel, the following vulnerability has been resolved:

PCI/MSI: Fix UAF in msi_capability_init

KFENCE reports the following UAF:

BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

Use-after-free read at 0x0000000024629571 (in kfence-#12):
__pci_enable_msi_range+0x2c0/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

allocated by task 81 on cpu 7 at 10.808142s:
__kmem_cache_alloc_node+0x1f0/0x2bc
kmalloc_trace+0x44/0x138
msi_alloc_desc+0x3c/0x9c
msi_domain_insert_msi_desc+0x30/0x78
msi_setup_msi_desc+0x13c/0x184
__pci_enable_msi_range+0x258/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

freed by task 81 on cpu 7 at 10.811436s:
msi_domain_free_descs+0xd4/0x10c
msi_domain_free_locked.part.0+0xc0/0x1d8
msi_domain_alloc_irqs_all_locked+0xb4/0xbc
pci_msi_setup_msi_irqs+0x30/0x4c
__pci_enable_msi_range+0x2a8/0x488
pci_alloc_irq_vectors_affinity+0xec/0x14c
pci_alloc_irq_vectors+0x18/0x28

Descriptor allocation done in: __pci_enable_msi_range
msi_capability_init
msi_setup_msi_desc
msi_insert_msi_desc
msi_domain_insert_msi_desc
msi_alloc_desc
...

Freed in case of failure in __msi_domain_alloc_locked() __pci_enable_msi_range
msi_capability_init
pci_msi_setup_msi_irqs
msi_domain_alloc_irqs_all_locked
msi_domain_alloc_locked
__msi_domain_alloc_locked => fails
msi_domain_free_locked
...

That failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init() which accesses the descriptor for unmasking in the error exit path.

Cure it by copying the descriptor and using the copy for the error exit path unmask operation.

[ tglx: Massaged change log ]

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41096

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-416 Use After Free

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8
Os 3635

Sources (Detail)

https://git.kernel.org/stable/c/0ae40b2d0a5de6b045504098e365d4fdff5bbeba
https://git.kernel.org/stable/c/45fc8d20e0768ab0a0ad054081d0f68aa3c83976
https://git.kernel.org/stable/c/9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1
https://git.kernel.org/stable/c/ff1121d2214b794dc1772081f27bdd90721a84bc
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Date Informations
2025-01-08 03:03:49
  • Multiple Updates
2025-01-07 03:03:23
  • Multiple Updates
2024-12-25 03:02:00
  • Multiple Updates
2024-12-12 03:04:58
  • Multiple Updates
2024-11-25 09:23:24
  • Multiple Updates
2024-11-22 21:22:38
  • Multiple Updates
2024-11-21 21:22:10
  • Multiple Updates
2024-11-20 02:58:35
  • Multiple Updates
2024-11-14 02:58:54
  • Multiple Updates
2024-11-09 02:58:54
  • Multiple Updates
2024-10-26 02:56:19
  • Multiple Updates
2024-10-25 02:58:13
  • Multiple Updates
2024-10-23 02:57:26
  • Multiple Updates
2024-10-03 02:52:46
  • Multiple Updates
2024-10-02 02:51:10
  • Multiple Updates
2024-09-14 21:30:06
  • Multiple Updates
2024-09-11 21:27:58
  • Multiple Updates
2024-09-08 13:27:40
  • Multiple Updates
2024-09-07 02:47:27
  • Multiple Updates
2024-09-06 02:46:37
  • Multiple Updates
2024-09-04 02:49:50
  • Multiple Updates
2024-08-22 02:47:44
  • Multiple Updates
2024-08-08 21:27:54
  • Multiple Updates
2024-07-29 21:27:27
  • First insertion