CVE-2024-44981

EUVD-2024-41183

04.09.2024, 20:15

In the Linux kernel, the following vulnerability has been resolved:

workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask()

UBSAN reports the following 'subtraction overflow' error when booting
in a virtual machine on Android:

 | Internal error: UBSAN: integer subtraction overflow: 00000000f2005515 [#1] PREEMPT SMP
 | Modules linked in:
 | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-00006-g3cbe9e5abd46-dirty #4
 | Hardware name: linux,dummy-virt (DT)
 | pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 | pc : cancel_delayed_work+0x34/0x44
 | lr : cancel_delayed_work+0x2c/0x44
 | sp : ffff80008002ba60
 | x29: ffff80008002ba60 x28: 0000000000000000 x27: 0000000000000000
 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
 | x23: 0000000000000000 x22: 0000000000000000 x21: ffff1f65014cd3c0
 | x20: ffffc0e84c9d0da0 x19: ffffc0e84cab3558 x18: ffff800080009058
 | x17: 00000000247ee1f8 x16: 00000000247ee1f8 x15: 00000000bdcb279d
 | x14: 0000000000000001 x13: 0000000000000075 x12: 00000a0000000000
 | x11: ffff1f6501499018 x10: 00984901651fffff x9 : ffff5e7cc35af000
 | x8 : 0000000000000001 x7 : 3d4d455453595342 x6 : 000000004e514553
 | x5 : ffff1f6501499265 x4 : ffff1f650ff60b10 x3 : 0000000000000620
 | x2 : ffff80008002ba78 x1 : 0000000000000000 x0 : 0000000000000000
 | Call trace:
 |  cancel_delayed_work+0x34/0x44
 |  deferred_probe_extend_timeout+0x20/0x70
 |  driver_register+0xa8/0x110
 |  __platform_driver_register+0x28/0x3c
 |  syscon_init+0x24/0x38
 |  do_one_initcall+0xe4/0x338
 |  do_initcall_level+0xac/0x178
 |  do_initcalls+0x5c/0xa0
 |  do_basic_setup+0x20/0x30
 |  kernel_init_freeable+0x8c/0xf8
 |  kernel_init+0x28/0x1b4
 |  ret_from_fork+0x10/0x20
 | Code: f9000fbf 97fffa2f 39400268 37100048 (d42aa2a0)
 | ---[ end trace 0000000000000000 ]---
 | Kernel panic - not syncing: UBSAN: integer subtraction overflow: Fatal exception

This is due to shift_and_mask() using a signed immediate to construct
the mask and being called with a shift of 31 (WORK_OFFQ_POOL_SHIFT) so
that it ends up decrementing from INT_MIN.

Use an unsigned constant '1U' to generate the mask in shift_and_mask().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.10 ≤ 𝑥 < 6.10.7
linux	linux_kernel	6.11:rc1
linux	linux_kernel	6.11:rc2
linux	linux_kernel	6.11:rc3
linux	linux_kernel	6.11:rc4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.148-1 not-affected
bookworm (security)	6.1.158-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.247-1 fixed
forky	6.17.13-1 fixed
sid	6.17.13-1 fixed
trixie	6.12.57-1 fixed
trixie (security)	6.12.48-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.8

focal	dne
jammy	not-affected
noble	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	ignored

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
trusty	not-affected

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne

linux-aws-5.15

focal	not-affected
jammy	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne

linux-aws-6.5

focal	dne
jammy	ignored
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne

linux-azure-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-6.5

focal	dne
jammy	ignored
noble	dne

linux-azure-fde

focal	ignored
jammy	not-affected
noble	not-affected

linux-azure-fde-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne

linux-bluefield

focal	not-affected
jammy	dne
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
xenial	not-affected

linux-aws-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne

linux-azure-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne

linux-gcp-fips

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne

linux-gcp-6.5

focal	dne
jammy	ignored
noble	dne

linux-gke

focal	ignored
jammy	not-affected
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gkeop-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gkeop

focal	not-affected
jammy	not-affected
noble	not-affected

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-ibm-5.15

focal	not-affected
jammy	dne
noble	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne

linux-intel-iotg

focal	dne
jammy	not-affected
noble	dne

linux-intel-iotg-5.15

focal	not-affected
jammy	dne
noble	dne

linux-iot

focal	not-affected
jammy	dne
noble	dne

linux-intel-iot-realtime

focal	dne
jammy	not-affected
noble	dne

linux-lowlatency

focal	dne
jammy	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.8

focal	dne
jammy	not-affected
noble	dne

linux-nvidia

focal	dne
jammy	not-affected
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-6.8

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-lowlatency

focal	dne
jammy	dne
noble	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.15

focal	not-affected
jammy	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	ignored
noble	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne

linux-oem-6.5

focal	dne
jammy	ignored
noble	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	not-affected

linux-raspi2

focal	ignored
jammy	dne
noble	dne

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-raspi-realtime

focal	dne
jammy	dne
noble	not-affected

linux-realtime

focal	dne
jammy	not-affected
noble	not-affected

linux-riscv

focal	ignored
jammy	ignored
noble	not-affected

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne

linux-riscv-5.15

focal	not-affected
jammy	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne

linux-riscv-6.8

focal	dne
jammy	not-affected
noble	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.5

focal	dne
jammy	ignored
noble	dne

linux-xilinx-zynqmp

focal	not-affected
jammy	not-affected
noble	dne

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-ibm

focal	not-affected
jammy	not-affected
noble	not-affected

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-raspi

focal	not-affected
jammy	not-affected
noble	not-affected

linux-intel

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-190 - Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

References

https://git.kernel.org/stable/c/38f7e14519d39cf524ddc02d4caee9b337dad703

https://git.kernel.org/stable/c/90a6a844b2d9927d192758438a4ada33d8cd9de5