CVE-2024-44964— idpf: fix memory leaks and crashes while performing a soft reset
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-44964
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
idpf: fix memory leaks and crashes while performing a soft reset
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leaks and crashes while performing a soft reset The second tagged commit introduced a UAF, as it removed restoring q_vector->vport pointers after reinitializating the structures. This is due to that all queue allocation functions are performed here with the new temporary vport structure and those functions rewrite the backpointers to the vport. Then, this new struct is freed and the pointers start leading to nowhere. But generally speaking, the current logic is very fragile. It claims to be more reliable when the system is low on memory, but in fact, it consumes two times more memory as at the moment of running this function, there are two vports allocated with their queues and vectors. Moreover, it claims to prevent the driver from running into "bad state", but in fact, any error during the rebuild leaves the old vport in the partially allocated state. Finally, if the interface is down when the function is called, it always allocates a new queue set, but when the user decides to enable the interface later on, vport_open() allocates them once again, IOW there's a clear memory leak here. Just don't allocate a new queue set when performing a reset, that solves crashes and memory leaks. Readd the old queue number and reopen the interface on rollback - that solves limbo states when the device is left disabled and/or without HW queues enabled.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于idpf组件在执行软重置时存在内存泄漏和崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-44964
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-44964
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-09-04 · 58 CVEs total
| CVE-2024-44991 | tcp: prevent concurrent execution of tcp_sk_exit_batch | |
| CVE-2024-45002 | rtla/osnoise: Prevent NULL dereference in error handling | |
| CVE-2024-45006 | xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration | |
| CVE-2024-45004 | KEYS: trusted: dcp: fix leak of blob encryption key | |
| CVE-2024-45003 | vfs: Don't evict inode under the inode lru traversing context | |
| CVE-2024-45005 | KVM: s390: fix validity interception issue when gisa is switched off | |
| CVE-2024-44994 | iommu: Restore lost return in iommu_report_device_fault() | |
| CVE-2024-44993 | drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()` | |
| CVE-2024-44992 | smb/client: avoid possible NULL dereference in cifs_free_subrequest() | |
| CVE-2024-44990 | bonding: fix null pointer deref in bond_ipsec_offload_ok | |
| CVE-2024-44995 | net: hns3: fix a deadlock problem when config TC during resetting | |
| CVE-2024-44989 | bonding: fix xfrm real_dev null pointer dereference | |
| CVE-2024-44988 | net: dsa: mv88e6xxx: Fix out-of-bound access | |
| CVE-2024-44987 | ipv6: prevent UAF in ip6_send_skb() | |
| CVE-2024-44986 | ipv6: fix possible UAF in ip6_finish_output2() | |
| CVE-2024-44985 | ipv6: prevent possible UAF in ip6_xmit() | |
| CVE-2024-44983 | netfilter: flowtable: validate vlan header | |
| CVE-2024-44984 | bnxt_en: Fix double DMA unmapping for XDP_REDIRECT | |
| CVE-2024-44982 | drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails | |
| CVE-2024-44981 | workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask() |
Showing top 20 of 58 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2024-44964
No comments yet