{
  "threat_severity" : "Low",
  "public_date" : "2024-07-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL",
    "id" : "2296066",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2296066"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL\ncommit a421ef303008 (\"mm: allow !GFP_KERNEL allocations for kvmalloc\")\nincludes support for __GFP_NOFAIL, but it presents a conflict with commit\ndd544141b9eb (\"vmalloc: back off when the current task is OOM-killed\").  A\npossible scenario is as follows:\nprocess-a\n__vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)\n__vmalloc_area_node()\nvm_area_alloc_pages()\n--> oom-killer send SIGKILL to process-a\nif (fatal_signal_pending(current)) break;\n--> return NULL;\nTo fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()\nif __GFP_NOFAIL set.\nThis issue occurred during OPLUS KASAN TEST. Below is part of the log\n-> oom-killer sends signal to process\n[65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198\n[65731.259685] [T32454] Call trace:\n[65731.259698] [T32454]  dump_backtrace+0xf4/0x118\n[65731.259734] [T32454]  show_stack+0x18/0x24\n[65731.259756] [T32454]  dump_stack_lvl+0x60/0x7c\n[65731.259781] [T32454]  dump_stack+0x18/0x38\n[65731.259800] [T32454]  mrdump_common_die+0x250/0x39c [mrdump]\n[65731.259936] [T32454]  ipanic_die+0x20/0x34 [mrdump]\n[65731.260019] [T32454]  atomic_notifier_call_chain+0xb4/0xfc\n[65731.260047] [T32454]  notify_die+0x114/0x198\n[65731.260073] [T32454]  die+0xf4/0x5b4\n[65731.260098] [T32454]  die_kernel_fault+0x80/0x98\n[65731.260124] [T32454]  __do_kernel_fault+0x160/0x2a8\n[65731.260146] [T32454]  do_bad_area+0x68/0x148\n[65731.260174] [T32454]  do_mem_abort+0x151c/0x1b34\n[65731.260204] [T32454]  el1_abort+0x3c/0x5c\n[65731.260227] [T32454]  el1h_64_sync_handler+0x54/0x90\n[65731.260248] [T32454]  el1h_64_sync+0x68/0x6c\n[65731.260269] [T32454]  z_erofs_decompress_queue+0x7f0/0x2258\n--> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);\nkernel panic by NULL pointer dereference.\nerofs assume kvmalloc with __GFP_NOFAIL never return NULL.\n[65731.260293] [T32454]  z_erofs_runqueue+0xf30/0x104c\n[65731.260314] [T32454]  z_erofs_readahead+0x4f0/0x968\n[65731.260339] [T32454]  read_pages+0x170/0xadc\n[65731.260364] [T32454]  page_cache_ra_unbounded+0x874/0xf30\n[65731.260388] [T32454]  page_cache_ra_order+0x24c/0x714\n[65731.260411] [T32454]  filemap_fault+0xbf0/0x1a74\n[65731.260437] [T32454]  __do_fault+0xd0/0x33c\n[65731.260462] [T32454]  handle_mm_fault+0xf74/0x3fe0\n[65731.260486] [T32454]  do_mem_abort+0x54c/0x1b34\n[65731.260509] [T32454]  el0_da+0x44/0x94\n[65731.260531] [T32454]  el0t_64_sync_handler+0x98/0xb4\n[65731.260553] [T32454]  el0t_64_sync+0x198/0x19c" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-39474\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39474\nhttps://lore.kernel.org/linux-cve-announce/2024070518-CVE-2024-39474-97cf@gregkh/T" ],
  "name" : "CVE-2024-39474",
  "csaw" : false
}