{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-39488","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-06-25T14:23:23.747Z","datePublished":"2024-07-10T07:14:08.319Z","dateUpdated":"2025-05-04T09:16:51.608Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:16:51.608Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes\nto bug_table entries, and as a result the last entry in a bug table will\nbe ignored, potentially leading to an unexpected panic(). All prior\nentries in the table will be handled correctly.\n\nThe arm64 ABI requires that struct fields of up to 8 bytes are\nnaturally-aligned, with padding added within a struct such that struct\nare suitably aligned within arrays.\n\nWhen CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tsigned int      file_disp;\t// 4 bytes\n\t\tunsigned short  line;\t\t// 2 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t}\n\n... with 12 bytes total, requiring 4-byte alignment.\n\nWhen CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:\n\n\tstruct bug_entry {\n\t\tsigned int      bug_addr_disp;\t// 4 bytes\n\t\tunsigned short  flags;\t\t// 2 bytes\n\t\t< implicit padding >\t\t// 2 bytes\n\t}\n\n... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing\npadding, requiring 4-byte alginment.\n\nWhen we create a bug_entry in assembly, we align the start of the entry\nto 4 bytes, which implicitly handles padding for any prior entries.\nHowever, we do not align the end of the entry, and so when\nCONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding\nbytes.\n\nFor the main kernel image this is not a problem as find_bug() doesn't\ndepend on the trailing padding bytes when searching for entries:\n\n\tfor (bug = __start___bug_table; bug < __stop___bug_table; ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\treturn bug;\n\nHowever for modules, module_bug_finalize() depends on the trailing\nbytes when calculating the number of entries:\n\n\tmod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);\n\n... and as the last bug_entry lacks the necessary padding bytes, this entry\nwill not be counted, e.g. in the case of a single entry:\n\n\tsechdrs[i].sh_size == 6\n\tsizeof(struct bug_entry) == 8;\n\n\tsechdrs[i].sh_size / sizeof(struct bug_entry) == 0;\n\nConsequently module_find_bug() will miss the last bug_entry when it does:\n\n\tfor (i = 0; i < mod->num_bugs; ++i, ++bug)\n\t\tif (bugaddr == bug_addr(bug))\n\t\t\tgoto out;\n\n... which can lead to a kenrel panic due to an unhandled bug.\n\nThis can be demonstrated with the following module:\n\n\tstatic int __init buginit(void)\n\t{\n\t\tWARN(1, \"hello\\n\");\n\t\treturn 0;\n\t}\n\n\tstatic void __exit bugexit(void)\n\t{\n\t}\n\n\tmodule_init(buginit);\n\tmodule_exit(bugexit);\n\tMODULE_LICENSE(\"GPL\");\n\n... which will trigger a kernel panic when loaded:\n\n\t------------[ cut here ]------------\n\thello\n\tUnexpected kernel BRK exception at EL1\n\tInternal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP\n\tModules linked in: hello(O+)\n\tCPU: 0 PID: 50 Comm: insmod Tainted: G           O       6.9.1 #8\n\tHardware name: linux,dummy-virt (DT)\n\tpstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\tpc : buginit+0x18/0x1000 [hello]\n\tlr : buginit+0x18/0x1000 [hello]\n\tsp : ffff800080533ae0\n\tx29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000\n\tx26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58\n\tx23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0\n\tx20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006\n\tx17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720\n\tx14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312\n\tx11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8\n\tx8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000\n\tx5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000\n\tx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0\n\tCall trace:\n\t buginit+0x18/0x1000 [hello]\n\t do_one_initcall+0x80/0x1c8\n\t do_init_module+0x60/0x218\n\t load_module+0x1ba4/0x1d70\n\t __do_sys_init_module+0x198/0x1d0\n\t __arm64_sys_init_module+0x1c/0x28\n\t invoke_syscall+0x48/0x114\n\t el0_svc\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/include/asm/asm-bug.h"],"versions":[{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"f221bd58db0f6ca087ac0392284f6bce21f4f8ea","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"22469a0335a1a1a690349b58bcb55822457df81e","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"461a760d578b2b2c2faac3040b6b7c77baf128f8","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"c1929c041a262a4a27265db8dce3619c92aa678c","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"3fd487ffaa697ddb05af78a75aaaddabe71c52b0","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"9f2ad88f9b349554f64e4037ec185c84d7dd9c7d","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"c27a2f7668e215c1ebbccd96fab27a220a93f1f7","status":"affected","versionType":"git"},{"version":"9fb7410f955f7a62c1f882ca8f9ffd4525907e28","lessThan":"ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/include/asm/asm-bug.h"],"versions":[{"version":"4.3","status":"affected"},{"version":"0","lessThan":"4.3","status":"unaffected","versionType":"semver"},{"version":"4.19.316","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.278","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.219","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.161","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.93","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.33","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.4","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"4.19.316"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.4.278"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.10.219"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"5.15.161"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.1.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.6.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.9.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea"},{"url":"https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e"},{"url":"https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8"},{"url":"https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c"},{"url":"https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0"},{"url":"https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d"},{"url":"https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7"},{"url":"https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f"}],"title":"arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-23T18:32:26.259204Z","id":"CVE-2024-39488","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-23T18:33:16.448Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:26:15.905Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/f221bd58db0f6ca087ac0392284f6bce21f4f8ea","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/22469a0335a1a1a690349b58bcb55822457df81e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/461a760d578b2b2c2faac3040b6b7c77baf128f8","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c1929c041a262a4a27265db8dce3619c92aa678c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3fd487ffaa697ddb05af78a75aaaddabe71c52b0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9f2ad88f9b349554f64e4037ec185c84d7dd9c7d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c27a2f7668e215c1ebbccd96fab27a220a93f1f7","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f","tags":["x_transferred"]}]}]}}