CVE-2024-36907 in Linux
Sumário
de VulDB • 02/06/2026
Based on the kernel log provided, here is an analysis of the crash:
### **1. Crash Summary** - **Type:** Kernel Oops/Panic (likely an invalid instruction or illegal state). - **Subsystem:** **SunRPC** (Sun Remote Procedure Call), specifically **TLS over TCP**. - **Trigger:** The crash occurs during the setup of a TLS connection for an RPC transport (`xs_tcp_tls_setup_socket`). - **Key Function:** `call_start` in `sunrpc` module.
### **2. Key Evidence from Registers & Call Trace**
#### **Call Trace Analysis** The call trace shows the execution path leading to the crash: ``` call_start+0x74/0x138 [sunrpc]
__rpc_execute+0xb8/0x3e0 [sunrpc]
rpc_execute+0x160/0x1d8 [sunrpc]
rpc_run_task+0x148/0x1f8 [sunrpc]
tls_probe+0x80/0xd0 [sunrpc]
rpc_ping+0x28/0x80 [sunrpc]
rpc_create_xprt+0x134/0x1a0 [sunrpc]
rpc_create+0x128/0x2a0 [sunrpc]
xs_tcp_tls_setup_socket+0xdc/0x508 [sunrpc]
``` - The system is trying to create a new RPC transport with TLS enabled (`xs_tcp_tls_setup_socket`). - It probes for TLS support (`tls_probe`) and then attempts to start the RPC call (`call_start`). - The crash happens inside `call_start`.
#### **Register Analysis** - **x17 (`733d4d4554535953`)**: This is ASCII for `"SYS=MS"` or similar. In ARM64, `x17` is often used for system call numbers or special registers. However, in this context, it might be part of a data structure or a corrupted pointer. - **x16 (`42555300312d746e`)**: ASCII for `"NUTS-1"` or similar. Again, likely corrupted data or a specific marker. - **x15 (`ffff8000832b3a88`)**: A kernel virtual address. - **x14 (`ffffffffffffffff`)**: This is `-1` in two's complement. Often used as an error code or invalid pointer. - **x11 (`0101010101010101`)**: This is a suspicious pattern. It could indicate: - Memory corruption (e.g., heap overflow overwriting with `0x01`). - A specific magic value used in debugging or TLS handshake structures. - **x10 (`ffff8000150cb560`)**: Another kernel virtual address.
#### **Code Snippet** ``` Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83) ``` - The instruction at the crash point is `b9401c83`. - Decoding `b9401c83` in ARM64: - `b9` = `LDR` (Load Register) instruction. - `401c83` = offset and register encoding. - This suggests the crash occurred during a memory load operation, likely accessing an invalid or corrupted pointer.
### **3. Likely Cause** The most probable cause is **memory corruption** or a **null/invalid pointer dereference** in the SunRPC TLS code path. Specifically: 1. **TLS Handshake Corruption:** The `tls_probe` function may have left the socket or RPC task structure in an inconsistent state. 2. **Use-After-Free:** The `rpc_task` or associated data structures might have been freed prematurely. 3. **Kernel Bug in `call_start`:** The `call_start` function might be accessing a field in the `rpc_task` structure that is corrupted or not initialized correctly.
### **4. Recommendations** 1. **Check for Kernel Updates:** This might be a known bug in the version of the Linux kernel you are running. Check for updates to the `sunrpc` module or the kernel itself. 2. **Disable TLS for RPC:** If TLS is not strictly required, try disabling it for RPC connections to see if the crash stops. This can be done by modifying the mount options or RPC configuration.
If you want to get best quality of vulnerability data, you may have to visit VulDB.