{ "threat_severity" : "Moderate", "public_date" : "2024-05-17T00:00:00Z", "bugzilla" : { "description" : "kernel: mm: cachestat: fix two shmem bugs", "id" : "2281151", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281151" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: cachestat: fix two shmem bugs\nWhen cachestat on shmem races with swapping and invalidation, there\nare two possible bugs:\n1) A swapin error can have resulted in a poisoned swap entry in the\nshmem inode's xarray. Calling get_shadow_from_swap_cache() on it\nwill result in an out-of-bounds access to swapper_spaces[].\nValidate the entry with non_swap_entry() before going further.\n2) When we find a valid swap entry in the shmem's inode, the shadow\nentry in the swapcache might not exist yet: swap IO is still in\nprogress and we're before __remove_mapping; swapin, invalidation,\nor swapoff have removed the shadow from swapcache after we saw the\nshmem swap entry.\nThis will send a NULL to workingset_test_recent(). The latter\npurely operates on pointer bits, so it won't crash - node 0, memcg\nID 0, eviction timestamp 0, etc. are all valid inputs - but it's a\nbogus test. In theory that could result in a false \"recently\nevicted\" count.\nSuch a false positive wouldn't be the end of the world. But for\ncode clarity and (future) robustness, be explicit about this case.\nBail on get_shadow_from_swap_cache() returning NULL.", "CVE-2024-35797 is a vulnerability in the Linux kernel’s memory management, specifically affecting the cachestat feature when handling shared memory. The flaw stems from race conditions during operations like swapping or invalidation, which can lead to out-of-bounds memory access or invalid pointer dereferencing. These issues can result in crashes or system instability. The kernel has been patched to improve checks and handling of swap entries to ensure stable and safe operation." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-09-11T00:00:00Z", "advisory" : "RHSA-2024:6567", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.35.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-09-11T00:00:00Z", "advisory" : "RHSA-2024:6567", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.35.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35797\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35797\nhttps://lore.kernel.org/linux-cve-announce/2024051737-CVE-2024-35797-06f6@gregkh/T" ], "name" : "CVE-2024-35797", "csaw" : false }