CVE-2024-49935 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

ACPI: PAD: fix crash in exit_round_robin()

The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address.

---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ... RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad]
kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ... CR2: ffffffffe0740618

crash> dis -lr ffffffffc0726923 ... /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 0xffffffffc0726918 : mov %r12d,%r12d /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 0xffffffffc072691b : mov -0x3f8d7de0(,%r12,4),%eax /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 0xffffffffc0726923 : lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620

crash> px tsk_in_cpu[14]
$66 = 0xffffffff

crash> px 0xffffffffc072692c+0x19cf4 $99 = 0xffffffffc0740620

crash> sym 0xffffffffc0740620 ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]

crash> px pad_busy_cpus_bits[0]
$42 = 0xfffc0 ----------

To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
cpumask_clear_cpu() in exit_round_robin(), just as it is done in round_robin_cpu().

[ rjw: Subject edit, avoid updates to the same value ]

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/18/2026

The vulnerability described in CVE-2024-49935 resides within the Linux kernel's ACPI power management subsystem, specifically in the acpi_pad driver module. This flaw manifests as a kernel crash occurring during the execution of the exit_round_robin() function, which is part of the kernel's CPU mask management operations. The crash stems from an invalid memory access pattern that arises when the clear_bit() function is invoked with an out-of-bounds bit index value of 0xffffffff. This particular value triggers a memory address calculation that results in misalignment, causing the kernel to attempt access to an invalid memory address at location 0xffffffffe0740618. The issue is particularly concerning as it can lead to complete system crashes, disrupting service availability and potentially providing an attack surface for malicious actors seeking to exploit kernel-level vulnerabilities.

The technical root cause of this vulnerability aligns with CWE-129, which addresses issues related to improper validation of input values, specifically concerning out-of-bounds access. The flaw occurs within the cpumask_clear_cpu() function when it processes a corrupted or invalid CPU mask value, where the tsk_in_cpu[tsk_index] variable contains the value 0xffffffff, indicating an uninitialized or improperly managed state. This misalignment in memory access patterns represents a classic case of improper bounds checking, where the kernel assumes valid input parameters without proper validation. The crash trace shows that the execution flow leads to a memory access violation in the power_saving_thread function, which is part of the ACPI power management framework, indicating a direct impact on system power management capabilities. The kernel's handling of CPU masks in round-robin scheduling contexts becomes problematic when dealing with negative or invalid CPU identifiers, leading to memory corruption and system instability.

The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system reliability and availability in production environments. When the kernel crashes due to this issue, it can result in unexpected system reboots, service interruptions, and potential data loss, particularly in mission-critical systems where continuous operation is essential. The vulnerability affects systems running kernel versions that include the acpi_pad driver, which is commonly found in enterprise and server environments where ACPI power management features are utilized. From an attack perspective, this vulnerability could be exploited by malicious actors to cause denial of service conditions or potentially escalate privileges if combined with other kernel-level vulnerabilities. The crash occurs during normal operation of the ACPI power management subsystem, making it particularly difficult to detect and prevent through standard monitoring mechanisms. The vulnerability also impacts systems using Red Hat Enterprise Linux 8.7 and similar distributions that ship with affected kernel versions, highlighting the widespread nature of this issue across enterprise computing environments.

Mitigation strategies for CVE-2024-49935 should focus on implementing proper input validation before calling cpumask_clear_cpu() within the exit_round_robin() function. The fix requires ensuring that tsk_in_cpu[tsk_index] != -1 before executing cpumask_clear_cpu(), a pattern already established in the round_robin_cpu() function within the same codebase. This validation approach aligns with ATT&CK technique T1068, which involves exploiting local privilege escalation vulnerabilities, by preventing invalid memory operations that could be leveraged by malicious code. System administrators should prioritize applying kernel updates that contain the patched version of the acpi_pad driver, which includes the necessary validation logic to prevent the invalid bit index from being processed. Additionally, monitoring systems should be configured to detect unusual patterns in kernel crash reports, particularly those involving memory access violations in ACPI-related modules. Organizations should also consider implementing runtime protections such as kernel lockdown mechanisms and memory protection features like SMEP and SMAP to limit the potential impact of such vulnerabilities. The patch implementation should be thoroughly tested in staging environments to ensure that it does not introduce regressions in normal system operation while effectively resolving the memory access violation issue.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00247

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!