CVE-2024-39301— net/9p: fix uninit-value in p9_client_rpc()
Affected Version Matrix 18
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 348b59012e5c6402741d067cf6eeeb6271999d06< 72c5d8e416ecc46af370a1340b3db5ff0b0cc867 | affected |
348b59012e5c6402741d067cf6eeeb6271999d06< 2101901dd58c6da4924bc5efb217a1d83436290b | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< 124947855564572713d705a13be7d0c9dae16a17 | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< 89969ffbeb948ffc159d19252e7469490103011b | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< ca71f204711ad24113e8b344dc5bb8b0385f5672 | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< 6c1791130b781c843572fb6391c4a4c5d857ab17 | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< fe5c604053c36c62af24eee8a76407d026ea5163 | affected | ||
348b59012e5c6402741d067cf6eeeb6271999d06< 25460d6f39024cc3b8241b14c7ccf0d6f11a736a | affected | ||
| … +10 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-39301
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/9p: fix uninit-value in p9_client_rpc()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/9p: fix uninit-value in p9_client_rpc() Syzbot with the help of KMSAN reported the following error: BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag will not be properly initialized. However, trace_9p_client_res() ends up trying to print it out anyway before p9_client_rpc() finishes. Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于p9_check_errors() 在 p9_client_rpc() 中提前失败,req->rc.tag 将无法正确初始化。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-39301
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-39301
请登录查看更多情报信息。
Other References for CVE-2024-39301 (8)
Same Patch Batch · Linux · 2024-06-25 · 24 CVEs total
| CVE-2024-39371 | io_uring: check for non-NULL file pointer in io_file_can_poll() | |
| CVE-2024-39471 | drm/amdgpu: add error handle to avoid out-of-bounds | |
| CVE-2024-39469 | nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors | |
| CVE-2024-39470 | eventfs: Fix a possible null pointer dereference in eventfs_find_events() | |
| CVE-2024-39468 | smb: client: fix deadlock in smb2_find_smb_tcon() | |
| CVE-2024-39467 | f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() | |
| CVE-2024-39466 | thermal/drivers/qcom/lmh: Check for SCM availability at probe | |
| CVE-2024-39464 | media: v4l: async: Fix notifier list entry init | |
| CVE-2024-39465 | media: mgb4: Fix double debugfs remove | |
| CVE-2024-39463 | 9p: add missing locking around taking dentry fid list | |
| CVE-2024-39462 | clk: bcm: dvp: Assign ->num before accessing ->hws | |
| CVE-2024-39461 | clk: bcm: rpi: Assign ->num before accessing ->hws | |
| CVE-2021-4440 | x86/xen: Drop USERGS_SYSRET64 paravirt call | |
| CVE-2024-39298 | mm/memory-failure: fix handling of dissolved but not taken off from buddy pages | |
| CVE-2024-39296 | bonding: fix oops during rmmod | |
| CVE-2024-39293 | Revert "xsk: Support redirect to any socket bound to the same umem" | |
| CVE-2024-39276 | ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() | |
| CVE-2024-38661 | s390/ap: Fix crash in AP internal function modify_bitmap() | |
| CVE-2024-38385 | genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() | |
| CVE-2024-38306 | btrfs: protect folio::private when attaching extent buffer folios |
Showing top 20 of 24 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
Same vendor: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
V. Comments for CVE-2024-39301
No comments yet