Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-39371— io_uring: check for non-NULL file pointer in io_file_can_poll()

EPSS 0.04% · P11
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-39371

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
io_uring: check for non-NULL file pointer in io_file_can_poll()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointer dereference off the forced async preparation path, if no file had been assigned. The trace leading to that looks as follows: BUG: kernel NULL pointer dereference, address: 00000000000000b0 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022 RIP: 0010:io_buffer_select+0xc3/0x210 Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246 RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040 RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700 RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020 R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8 R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000 FS: 00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0 Call Trace: <TASK> ? __die+0x1f/0x60 ? page_fault_oops+0x14d/0x420 ? do_user_addr_fault+0x61/0x6a0 ? exc_page_fault+0x6c/0x150 ? asm_exc_page_fault+0x22/0x30 ? io_buffer_select+0xc3/0x210 __io_import_iovec+0xb5/0x120 io_readv_prep_async+0x36/0x70 io_queue_sqe_fallback+0x20/0x260 io_submit_sqes+0x314/0x630 __do_sys_io_uring_enter+0x339/0xbc0 ? __do_sys_io_uring_register+0x11b/0xc50 ? vm_mmap_pgoff+0xce/0x160 do_syscall_64+0x5f/0x180 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0x55e0a110a67e Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6 because the request is marked forced ASYNC and has a bad file fd, and hence takes the forced async prep path. Current kernels with the request async prep cleaned up can no longer hit this issue, but for ease of backporting, let's add this safety check in here too as it really doesn't hurt. For both cases, this will inevitably end with a CQE posted with -EBADF.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux a76c0b31eef50fdb8b21d53a6d050f59241fb88e ~ c2844d5e58576c55d8e8d4a9f74902d3f7be8044 -
LinuxLinux 5.19 -

II. Public POCs for CVE-2024-39371

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-39371

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-06-25 · 24 CVEs total

CVE-2024-39301net/9p: fix uninit-value in p9_client_rpc()
CVE-2024-39471drm/amdgpu: add error handle to avoid out-of-bounds
CVE-2024-39469nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
CVE-2024-39470eventfs: Fix a possible null pointer dereference in eventfs_find_events()
CVE-2024-39468smb: client: fix deadlock in smb2_find_smb_tcon()
CVE-2024-39467f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
CVE-2024-39466thermal/drivers/qcom/lmh: Check for SCM availability at probe
CVE-2024-39464media: v4l: async: Fix notifier list entry init
CVE-2024-39465media: mgb4: Fix double debugfs remove
CVE-2024-394639p: add missing locking around taking dentry fid list
CVE-2024-39462clk: bcm: dvp: Assign ->num before accessing ->hws
CVE-2024-39461clk: bcm: rpi: Assign ->num before accessing ->hws
CVE-2021-4440x86/xen: Drop USERGS_SYSRET64 paravirt call
CVE-2024-39298mm/memory-failure: fix handling of dissolved but not taken off from buddy pages
CVE-2024-39296bonding: fix oops during rmmod
CVE-2024-39293Revert "xsk: Support redirect to any socket bound to the same umem"
CVE-2024-39276ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
CVE-2024-38661s390/ap: Fix crash in AP internal function modify_bitmap()
CVE-2024-38385genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()
CVE-2024-38306btrfs: protect folio::private when attaching extent buffer folios

Showing top 20 of 24 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-39371

No comments yet

Leave a comment