{ "threat_severity" : "Moderate", "public_date" : "2024-07-29T00:00:00Z", "bugzilla" : { "description" : "kernel: xfs: don't walk off the end of a directory data block", "id" : "2300296", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2300296" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxfs: don't walk off the end of a directory data block\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.", "A vulnerability was found in the Linux kernel in the xfs_dir2_data_unused() and xfs_dir2_data_entry() functions where a lack of proper sanity checks while handling directory data blocks can lead to out-of-bounds memory access. This can result in undefined system behavior or crashes." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7001", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7000", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.22.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-41013\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-41013\nhttps://lore.kernel.org/linux-cve-announce/2024072908-CVE-2024-41013-2996@gregkh/T" ], "name" : "CVE-2024-41013", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }