Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2024-35902

Disclosure Date: May 19, 2024 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

net/rds: fix possible cp null dereference

cp might be null, calling cp->cp_conn would produce null dereference

[Simon Horman adds:]

Analysis:

cp is a parameter of __rds_rdma_map and is not reassigned.
The following call-sites pass a NULL cp argument to __rds_rdma_map()
- rds_get_mr()
- rds_get_mr_for_dest
Prior to the code above, the following assumes that cp may be NULL
(which is indicative, but could itself be unnecessary)

trans_private = rs->rs_transport->get_mr(
```
sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,
args->vec.addr, args->vec.bytes,
need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);
```
The code modified by this patch is guarded by IS_ERR(trans_private),
where trans_private is assigned as per the previous point in this analysis.

The only implementation of get_mr that I could locate is rds_ib_get_mr()
which can return an ERR_PTR if the conn (4th) argument is NULL.

ret is set to PTR_ERR(trans_private).
rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.
Thus ret may be -ENODEV in which case the code in question will execute.

Conclusion:

cp may be NULL at the point where this patch adds a check;
this patch does seem to address a possible bug

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Linux

Products

Linux

References

Canonical

CVE-2024-35902 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35902)

Miscellaneous

https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c

https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9

https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14

https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029

https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196

https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d

https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a

https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Rapid7

Technical Analysis