Описание
In the Linux kernel, the following vulnerability has been resolved:
block: initialize integrity buffer to zero before writing it to media
Metadata added by bio_integrity_prep is using plain kmalloc, which leads
to random kernel memory being written media. For PI metadata this is
limited to the app tag that isn't used by kernel generated metadata,
but for non-PI metadata the entire buffer leaks kernel memory.
Fix this by adding the __GFP_ZERO flag to allocations for writes.
A flaw was found in the Linux kernel, where it initialized the integrity buffer to zero before writing it to media. Metadata added by bio_integrity_prep uses plain kmalloc, which leads to random kernel memory being written. Protection Information (PI) metadata is limited to the app tag not used by kernel-generated metadata, but for non-PI metadata, the entire buffer leaks kernel memory, potentially exposing sensitive internal kernel data.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-401: Missing Release of Memory after Effective Lifetime vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform enforces hardening guidelines to apply the most restrictive configurations necessary for operational requirements. Baseline and configuration setting controls ensure secure system and software configurations, while least functionality reduces the attack surface and minimizes the risk of resource exhaustion from memory leaks. The environment employs malicious code protections such as IDS/IPS and antimalware solutions to detect threats and provide real-time visibility into memory usage, helping prevent memory management issues before they lead to system crashes or exhaustion. Event logs are collected and analyzed for correlation, monitoring, alerting, and retention, supporting the detection of abnormal memory usage patterns that may indicate potential leaks. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the risk of input-based denial-of-service (DoS) attacks. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are implemented to strengthen defenses against memory allocation vulnerabilities.
Меры по смягчению последствий
Fix this issue by adding the __GFP_ZERO flag to allocations for writes.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2024:8870 | 05.11.2024 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2024:8856 | 05.11.2024 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2024:10939 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2024:8617 | 30.10.2024 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2024:10939 | 11.12.2024 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2024:8617 | 30.10.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.
In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.
In the Linux kernel, the following vulnerability has been resolved: b ...
In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.
EPSS
5.5 Medium
CVSS3