CVE-2024-42136 in Linux
Summary
by MITRE • 07/30/2024
In the Linux kernel, the following vulnerability has been resolved:
cdrom: rearrange last_media_change check to avoid unintentional overflow
When running syzkaller with the newly reintroduced signed integer wrap sanitizer we encounter this splat:
[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 366.027518] Call Trace:
[ 366.027523] <TASK>
[ 366.027533] dump_stack_lvl+0x93/0xd0
[ 366.027899] handle_overflow+0x171/0x1b0
[ 366.038787] ata1.00: invalid multi_count 32 ignored
[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10
[ 366.063932] ? __pm_runtime_resume+0xe6/0x130
[ 366.071923] sr_block_ioctl+0x15d/0x1d0
[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10
[ 366.077642] blkdev_ioctl+0x419/0x500
[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10
...
Historically, the signed integer overflow sanitizer did not work in the kernel due to its interaction with `-fwrapv` but this has since been changed [1] in the newest version of Clang. It was re-enabled in the
kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow sanitizer").
Let's rearrange the check to not perform any arithmetic, thus not tripping the sanitizer.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2024-42136 resides within the Linux kernel's cdrom subsystem, specifically in the cdrom.c driver file where a signed integer overflow condition occurs during media change detection operations. This issue manifests when the kernel's signed integer overflow sanitizer is enabled, which was previously disabled due to compatibility issues with the `-fwrapv` compiler flag but has since been reintroduced in newer compiler versions. The problem occurs at line 2361 in the cdrom.c file where an arithmetic operation attempts to subtract a large positive value from a negative six4-bit integer, resulting in an overflow that cannot be represented within the signed 64-bit integer type. This particular scenario arises during ioctl operations on CD-ROM devices, particularly when syzkaller fuzzing tools are employed to test kernel functionality. The vulnerability demonstrates a classic example of improper input validation and arithmetic operation handling that can lead to unpredictable behavior and potential exploitation.
The technical flaw stems from how the kernel handles the last_media_change timestamp comparison within the cdrom subsystem, where the code performs arithmetic operations on signed integers without proper bounds checking or overflow protection mechanisms. When the signed integer overflow sanitizer is active, it detects this operation as an invalid arithmetic operation that would result in undefined behavior according to the C standard. The call trace shows the execution path leading through cdrom_ioctl, sr_block_ioctl, and blkdev_ioctl functions, indicating that this vulnerability affects block device operations on optical media devices. This particular implementation pattern violates security principles by not properly handling potential integer overflow conditions that could be exploited by malicious actors to cause denial of service or potentially execute arbitrary code.
The operational impact of this vulnerability is significant for systems running kernel versions with the signed integer overflow sanitizer enabled, particularly in environments where automated testing tools like syzkaller are used for kernel validation. The vulnerability can cause kernel panics or system crashes when the overflow condition is triggered during normal operation or during fuzzing activities, leading to denial of service conditions. While the immediate impact may appear limited to specific testing scenarios, the underlying flaw represents a broader security concern in kernel code that could be exploited in more sophisticated attack vectors. The vulnerability affects systems using optical media devices and could potentially be leveraged by attackers who can control the timing or parameters of media change operations to trigger the overflow condition.
Mitigation strategies for this vulnerability involve modifying the cdrom.c driver code to eliminate the arithmetic operation that triggers the sanitizer, as recommended in the patch. The solution requires rearranging the media change detection logic to avoid performing direct arithmetic operations on timestamp values that could result in signed integer overflow conditions. System administrators should ensure they are running patched kernel versions that implement the recommended code changes, which typically involve using alternative comparison methods or unsigned integer types for timestamp calculations. Additionally, organizations should consider disabling the signed integer overflow sanitizer in production environments where this specific vulnerability is not actively exploited, though this approach reduces overall kernel security monitoring capabilities. The fix aligns with security best practices for kernel development and follows principles outlined in the Common Weakness Enumeration (CWE) category CWE-191 for signed integer underflow/overflow conditions, as well as the MITRE ATT&CK framework's techniques for privilege escalation and system exploitation through kernel vulnerabilities.