{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sched/numa: Fix the potential null pointer dereference in task_numa_work()",
    "id" : "2324868",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2324868"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsched/numa: Fix the potential null pointer dereference in task_numa_work()\nWhen running stress-ng-vm-segv test, we found a null pointer dereference\nerror in task_numa_work(). Here is the backtrace:\n[323676.066985] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n......\n[323676.067108] CPU: 35 PID: 2694524 Comm: stress-ng-vm-se\n......\n[323676.067113] pstate: 23401009 (nzCv daif +PAN -UAO +TCO +DIT +SSBS BTYPE=--)\n[323676.067115] pc : vma_migratable+0x1c/0xd0\n[323676.067122] lr : task_numa_work+0x1ec/0x4e0\n[323676.067127] sp : ffff8000ada73d20\n[323676.067128] x29: ffff8000ada73d20 x28: 0000000000000000 x27: 000000003e89f010\n[323676.067130] x26: 0000000000080000 x25: ffff800081b5c0d8 x24: ffff800081b27000\n[323676.067133] x23: 0000000000010000 x22: 0000000104d18cc0 x21: ffff0009f7158000\n[323676.067135] x20: 0000000000000000 x19: 0000000000000000 x18: ffff8000ada73db8\n[323676.067138] x17: 0001400000000000 x16: ffff800080df40b0 x15: 0000000000000035\n[323676.067140] x14: ffff8000ada73cc8 x13: 1fffe0017cc72001 x12: ffff8000ada73cc8\n[323676.067142] x11: ffff80008001160c x10: ffff000be639000c x9 : ffff8000800f4ba4\n[323676.067145] x8 : ffff000810375000 x7 : ffff8000ada73974 x6 : 0000000000000001\n[323676.067147] x5 : 0068000b33e26707 x4 : 0000000000000001 x3 : ffff0009f7158000\n[323676.067149] x2 : 0000000000000041 x1 : 0000000000004400 x0 : 0000000000000000\n[323676.067152] Call trace:\n[323676.067153]  vma_migratable+0x1c/0xd0\n[323676.067155]  task_numa_work+0x1ec/0x4e0\n[323676.067157]  task_work_run+0x78/0xd8\n[323676.067161]  do_notify_resume+0x1ec/0x290\n[323676.067163]  el0_svc+0x150/0x160\n[323676.067167]  el0t_64_sync_handler+0xf8/0x128\n[323676.067170]  el0t_64_sync+0x17c/0x180\n[323676.067173] Code: d2888001 910003fd f9000bf3 aa0003f3 (f9401000)\n[323676.067177] SMP: stopping secondary CPUs\n[323676.070184] Starting crashdump kernel...\nstress-ng-vm-segv in stress-ng is used to stress test the SIGSEGV error\nhandling function of the system, which tries to cause a SIGSEGV error on\nreturn from unmapping the whole address space of the child process.\nNormally this program will not cause kernel crashes. But before the\nmunmap system call returns to user mode, a potential task_numa_work()\nfor numa balancing could be added and executed. In this scenario, since the\nchild process has no vma after munmap, the vma_next() in task_numa_work()\nwill return a null pointer even if the vma iterator restarts from 0.\nRecheck the vma pointer before dereferencing it in task_numa_work()." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-19T00:00:00Z",
    "advisory" : "RHSA-2024:11486",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.19.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-19T00:00:00Z",
    "advisory" : "RHSA-2024:11486",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.19.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50223\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50223\nhttps://lore.kernel.org/linux-cve-announce/2024110927-CVE-2024-50223-c11b@gregkh/T" ],
  "name" : "CVE-2024-50223",
  "csaw" : false
}