CVE-2024-57890

MEDIUM EPSS 10.8%
Published Jan 15, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 15, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbs_request_next_ptr() which also could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems. This patch does two things. First, I've re-arranged the condition in uverbs_request_next_ptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use size_mul() for the multiplications.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
10.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-190 Integer Overflow or Wraparound Numeric Error

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥2.6.15  –  <5.4.289
linuxlinux_kernel*≥5.5  –  <5.10.233
linuxlinux_kernel*≥5.11  –  <5.15.176
linuxlinux_kernel*≥5.16  –  <6.1.124
linuxlinux_kernel*≥6.2  –  <6.6.70
linuxlinux_kernel*≥6.7  –  <6.12.9
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any

References 9

  • git.kernel.org https://git.kernel.org/stable/c/346db03e9926ab7117ed9bf19665699c037c773c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b3ef4ae713360501182695dd47d6b4f6e1a43eb8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b92667f755749cf10d9ef1088865c555ae83ffb7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2f961c46ea0e5274c5c320d007c2dd949cf627a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c57721b24bd897338a81a0ca5fff41600f0f1ad1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0257e089d1bbd35c69b6c97ff73e3690ab149a9
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/346db03e9926ab7117ed9bf19665699c037c773c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b3ef4ae713360501182695dd47d6b4f6e1a43eb8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b92667f755749cf10d9ef1088865c555ae83ffb7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2f961c46ea0e5274c5c320d007c2dd949cf627a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c57721b24bd897338a81a0ca5fff41600f0f1ad1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0257e089d1bbd35c69b6c97ff73e3690ab149a9
    Patch