CVE-2024-57885

{"id": "CVE-2024-57885", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-15T13:15:12.893", "references": [{"url": "https://git.kernel.org/stable/c/64b2d32f22597b2a1dc83ac600b2426588851a97", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86d946f3f9992aaa12abcfd09f925446c2cd42a2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cddc76b165161a02ff14c4d84d0f5266d9d32b9e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: fix sleeping function called from invalid context at print message\n\nAddress a bug in the kernel that triggers a \"sleeping function called from\ninvalid context\" warning when /sys/kernel/debug/kmemleak is printed under\nspecific conditions:\n- CONFIG_PREEMPT_RT=y\n- Set SELinux as the LSM for the system\n- Set kptr_restrict to 1\n- kmemleak buffer contains at least one item\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n6 locks held by cat/136:\n #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30\n #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128\n #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0\n #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0\n #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0\nirq event stamp: 136660\nhardirqs last enabled at (136659): [<ffffafe6a80fd7a0>] _raw_spin_unlock_irqrestore+0xa8/0xd8\nhardirqs last disabled at (136660): [<ffffafe6a80fd85c>] _raw_spin_lock_irqsave+0x8c/0xb0\nsoftirqs last enabled at (0): [<ffffafe6a5d50b28>] copy_process+0x11d8/0x3df8\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nPreemption disabled at:\n[<ffffafe6a6598a4c>] kmemleak_seq_show+0x3c/0x1e0\nCPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34\nTainted: [E]=UNSIGNED_MODULE\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x1c/0x30\n dump_stack_lvl+0xe8/0x198\n dump_stack+0x18/0x20\n rt_spin_lock+0x8c/0x1a8\n avc_perm_nonode+0xa0/0x150\n cred_has_capability.isra.0+0x118/0x218\n selinux_capable+0x50/0x80\n security_capable+0x7c/0xd0\n has_ns_capability_noaudit+0x94/0x1b0\n has_capability_noaudit+0x20/0x30\n restricted_pointer+0x21c/0x4b0\n pointer+0x298/0x760\n vsnprintf+0x330/0xf70\n seq_printf+0x178/0x218\n print_unreferenced+0x1a4/0x2d0\n kmemleak_seq_show+0xd0/0x1e0\n seq_read_iter+0x354/0xe30\n seq_read+0x250/0x378\n full_proxy_read+0xd8/0x148\n vfs_read+0x190/0x918\n ksys_read+0xf0/0x1e0\n __arm64_sys_read+0x70/0xa8\n invoke_syscall.constprop.0+0xd4/0x1d8\n el0_svc+0x50/0x158\n el0t_64_sync+0x17c/0x180\n\n%pS and %pK, in the same back trace line, are redundant, and %pS can void\n%pK service in certain contexts.\n\n%pS alone already provides the necessary information, and if it cannot\nresolve the symbol, it falls back to printing the raw address voiding\nthe original intent behind the %pK.\n\nAdditionally, %pK requires a privilege check CAP_SYSLOG enforced through\nthe LSM, which can trigger a \"sleeping function called from invalid\ncontext\" warning under RT_PREEMPT kernels when the check occurs in an\natomic context. This issue may also affect other LSMs.\n\nThis change avoids the unnecessary privilege check and resolves the\nsleeping function warning without any loss of information."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/kmemleak: se corrige la funci\u00f3n inactiva llamada desde un contexto no v\u00e1lido en el mensaje de impresi\u00f3n Se soluciona un error en el kernel que activa una advertencia de \"funci\u00f3n inactiva llamada desde un contexto no v\u00e1lido\" cuando se imprime /sys/kernel/debug/kmemleak en condiciones espec\u00edficas: - CONFIG_PREEMPT_RT=y - Establezca SELinux como el LSM para el sistema - Establezca kptr_restrict en 1 - el b\u00fafer de kmemleak contiene al menos un elemento ERROR: funci\u00f3n inactiva llamada desde un contexto no v\u00e1lido en kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat preempt_count: 1, expected: 0 Profundidad de anidaci\u00f3n de RCU: 2, expected: 2 6 bloqueos mantenidos por cat/136: #0: ffff32e64bcbf950 (&amp;p-&gt;bloqueo){+.+.}-{3:3}, en: seq_read_iter+0xb8/0xe30 #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, en: kmemleak_seq_start+0x34/0x128 #3: ffff32e6546b1cd0 (&amp;object-&gt;bloqueo){....}-{2:2}, en: kmemleak_seq_show+0x3c/0x1e0 #4: ffffafe6aa8d8560 (rcu_lectura_bloqueo){....}-{1:2}, en: has_ns_capability_noaudit+0x8/0x1b0 #5: ffffafe6aabbc0f8 (notif_bloqueo){+.+.}-{2:2}, en: avc_compute_av+0xc4/0x3d0 marca de evento de irq: 136660 hardirqs habilitados por \u00faltima vez en (136659): [] _raw_spin_unlock_irqrestore+0xa8/0xd8 hardirqs deshabilitados por \u00faltima vez en (136660): [] _raw_spin_lock_irqsave+0x8c/0xb0 softirqs habilitados por \u00faltima vez en (0): [] copy_process+0x11d8/0x3df8 softirqs deshabilitados por \u00faltima vez en (0): [&lt;0000000000000000&gt;] 0x0 Preempci\u00f3n deshabilitada en: [] kmemleak_seq_show+0x3c/0x1e0 CPU: 1 UID: 0 PID: 136 Comm: cat Contaminado: GE 6.11.0-rt7+ #34 Contaminado: [E]=UNSIGNED_MODULE Nombre del hardware: linux,dummy-virt (DT) Rastreo de llamadas: dump_backtrace+0xa0/0x128 show_stack+0x1c/0x30 dump_stack_lvl+0xe8/0x198 dump_stack+0x18/0x20 rt_spin_lock+0x8c/0x1a8 avc_perm_nonode+0xa0/0x150 cred_has_capability.isra.0+0x118/0x218 selinux_capable+0x50/0x80 security_capable+0x7c/0xd0 has_ns_capability_noaudit+0x94/0x1b0 has_capability_noaudit+0x20/0x30 puntero_restringido+0x21c/0x4b0 puntero+0x298/0x760 vsnprintf+0x330/0xf70 seq_printf+0x178/0x218 impresi\u00f3n_sin_referencia+0x1a4/0x2d0 kmemleak_seq_show+0xd0/0x1e0 seq_read_iter+0x354/0xe30 seq_read+0x250/0x378 lectura_proxy_completa+0xd8/0x148 vfs_read+0x190/0x918 ksys_read+0xf0/0x1e0 __arm64_sys_read+0x70/0xa8 %pS y %pK, en la misma l\u00ednea de seguimiento inverso, son redundantes, y %pS puede anular el servicio %pK en ciertos contextos. %pS solo ya proporciona la informaci\u00f3n necesaria, y si no puede resolver el s\u00edmbolo, vuelve a imprimir la direcci\u00f3n sin formato anulando la intenci\u00f3n original detr\u00e1s de %pK. Adem\u00e1s, %pK requiere una verificaci\u00f3n de privilegios CAP_SYSLOG aplicada a trav\u00e9s del LSM, que puede activar una advertencia de \"funci\u00f3n inactiva llamada desde un contexto no v\u00e1lido\" en kernels RT_PREEMPT cuando la verificaci\u00f3n ocurre en un contexto at\u00f3mico. Este problema tambi\u00e9n puede afectar a otros LSM. Este cambio evita la verificaci\u00f3n de privilegios innecesaria y resuelve la advertencia de funci\u00f3n inactiva sin ninguna p\u00e9rdida de informaci\u00f3n."}], "lastModified": "2025-09-26T20:01:05.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51E6CFF2-92AA-4936-95AB-2D068168A696", "versionEndExcluding": "6.6.70", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D13AF97-FFED-4B68-906D-CFE38D0B88DD", "versionEndExcluding": "6.12.9", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}