{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: powerpc/pseries: Enforce hcall result buffer validity and size", "id" : "2297558", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297558" }, "cvss3" : { "cvss3_base_score" : "6.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-119", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/pseries: Enforce hcall result buffer validity and size\nplpar_hcall(), plpar_hcall9(), and related functions expect callers to\nprovide valid result buffers of certain minimum size. Currently this\nis communicated only through comments in the code and the compiler has\nno idea.\nFor example, if I write a bug like this:\nlong retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE\nplpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);\nThis compiles with no diagnostics emitted, but likely results in stack\ncorruption at runtime when plpar_hcall9() stores results past the end\nof the array. (To be clear this is a contrived example and I have not\nfound a real instance yet.)\nTo make this class of error less likely, we can use explicitly-sized\narray parameters instead of pointers in the declarations for the hcall\nAPIs. When compiled with -Warray-bounds[1], the code above now\nprovokes a diagnostic like this:\nerror: array argument is too small;\nis of size 32, callee requires at least 72 [-Werror,-Warray-bounds]\n60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,\n| ^ ~~~~~~\n[1] Enabled for LLVM builds but not GCC for now. See commit\n0da6e5fd6c37 (\"gcc: disable '-Warray-bounds' for gcc-13 too\") and\nrelated changes.", "A vulnerability was found in the Linux kernel's powerpc/pseries architecture, where certain hypercall functions did not properly enforce the validity and size of result buffers provided by callers, lead to stack corruption if the buffer is too small, as the lack of compiler checks allows for potential runtime errors." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40974\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40974\nhttps://lore.kernel.org/linux-cve-announce/2024071229-CVE-2024-40974-afb3@gregkh/T" ], "name" : "CVE-2024-40974", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }