CVE-2024-35878

In the Linux kernel, the following vulnerability has been resolved: of: module: prevent NULL pointer dereference in vsnprintf() In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898	Patch
https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987	Patch
https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b	Patch
https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898	Patch
https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987	Patch
https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc2::::::

History

No history.

Information

Published : 2024-05-19 09:15

Updated : 2025-04-07 18:57

NVD link : CVE-2024-35878

Mitre link : CVE-2024-35878

CVE.ORG link : CVE-2024-35878

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2024-35878", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-05-19T09:15:09.090", "references": [{"url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: de: m\u00f3dulo: evita la desreferencia del puntero NULL en vsnprintf() En of_modalias(), podemos pasar los par\u00e1metros str y len que provocar\u00edan un kernel ups en vsnprintf() ya que solo permite pasar un ptr NULL cuando la longitud tambi\u00e9n es 0. Adem\u00e1s, necesitamos filtrar los valores negativos del par\u00e1metro len ya que estos dar\u00e1n como resultado un b\u00fafer realmente enorme ya que snprintf() toma el par\u00e1metro size_t mientras que el nuestro es ssize_t... Encontrado por el Centro de verificaci\u00f3n de Linux (linuxtesting.org) con la herramienta de an\u00e1lisis est\u00e1tico Svace."}], "lastModified": "2025-04-07T18:57:06.917", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCC3C07F-B627-4030-9143-1DA48BBDB64D", "versionEndExcluding": "6.6.26"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBD6C99E-4250-4DFE-8447-FF2075939D10", "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}