{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: security/keys: fix slab-out-of-bounds in key_task_permission",
    "id" : "2327188",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2327188"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsecurity/keys: fix slab-out-of-bounds in key_task_permission\nKASAN reports an out of bounds read:\nBUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36\nBUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]\nBUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410\nsecurity/keys/permission.c:54\nRead of size 4 at addr ffff88813c3ab618 by task stress-ng/4362\nCPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15\nCall Trace:\n__dump_stack lib/dump_stack.c:82 [inline]\ndump_stack+0x107/0x167 lib/dump_stack.c:123\nprint_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400\n__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\nkasan_report+0x3a/0x50 mm/kasan/report.c:585\n__kuid_val include/linux/uidgid.h:36 [inline]\nuid_eq include/linux/uidgid.h:63 [inline]\nkey_task_permission+0x394/0x410 security/keys/permission.c:54\nsearch_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793\nThis issue was also reported by syzbot.\nIt can be reproduced by following these steps(more details [1]):\n1. Obtain more than 32 inputs that have similar hashes, which ends with the\npattern '0xxxxxxxe6'.\n2. Reboot and add the keys obtained in step 1.\nThe reproducer demonstrates how this issue happened:\n1. In the search_nested_keyrings function, when it iterates through the\nslots in a node(below tag ascend_to_node), if the slot pointer is meta\nand node->back_pointer != NULL(it means a root), it will proceed to\ndescend_to_node. However, there is an exception. If node is the root,\nand one of the slots points to a shortcut, it will be treated as a\nkeyring.\n2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.\nHowever, KEYRING_PTR_SUBTYPE is 0x2UL, the same as\nASSOC_ARRAY_PTR_SUBTYPE_MASK.\n3. When 32 keys with the similar hashes are added to the tree, the ROOT\nhas keys with hashes that are not similar (e.g. slot 0) and it splits\nNODE A without using a shortcut. When NODE A is filled with keys that\nall hashes are xxe6, the keys are similar, NODE A will split with a\nshortcut. Finally, it forms the tree as shown below, where slot 6 points\nto a shortcut.\nNODE A\n+------>+---+\nROOT    |       | 0 | xxe6\n+---+   |       +---+\nxxxx | 0 | shortcut  :   : xxe6\n+---+   |       +---+\nxxe6 :   :   |       |   | xxe6\n+---+   |       +---+\n| 6 |---+       :   : xxe6\n+---+           +---+\nxxe6 :   :           | f | xxe6\n+---+           +---+\nxxe6 | f |\n+---+\n4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,\nit may be mistakenly transferred to a key*, leading to a read\nout-of-bounds read.\nTo fix this issue, one should jump to descend_to_node if the ptr is a\nshortcut, regardless of whether the node is root or not.\n[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/\n[jarkko: tweaked the commit message a bit to have an appropriate closes\ntag.]" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-06-25T00:00:00Z",
    "advisory" : "RHSA-2025:9581",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.58.1.rt7.399.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-06-25T00:00:00Z",
    "advisory" : "RHSA-2025:9580",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.58.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-06T00:00:00Z",
    "advisory" : "RHSA-2025:17377",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.51.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-06T00:00:00Z",
    "advisory" : "RHSA-2025:17377",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.51.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50301\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50301\nhttps://lore.kernel.org/linux-cve-announce/2024111907-CVE-2024-50301-ec76@gregkh/T" ],
  "name" : "CVE-2024-50301",
  "csaw" : false
}