CVE-2024-36018 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: nouveau/uvmm: fix addr/range calcs for remap operations dEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8 was causing a remap operation like the below. op_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000 op_remap: next: op_remap: unmap: 0000003fffed0000 0000000000100000 0 op_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000 This was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000 which was corrupting the pagetables and oopsing the kernel. Fixes the prev + unmap range calcs to use start/end and map back to addr/range.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6
https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569
https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce
https://lore.kernel.org/linux-cve-announce/2024053040-CVE-2024-36018-d6b8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-36018
https://www.cve.org/CVERecord?id=CVE-2024-36018

History

Wed, 06 Nov 2024 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-30T14:59:42.091Z

Updated: 2024-12-19T09:00:37.356Z

Reserved: 2024-05-17T13:50:33.155Z

Link: CVE-2024-36018

Vulnrichment

Updated: 2024-08-02T03:30:12.600Z

NVD

Status : Awaiting Analysis

Published: 2024-05-30T15:15:48.950

Modified: 2024-11-21T09:21:26.853

Link: CVE-2024-36018

Redhat

Severity : Low

Publid Date: 2024-05-30T00:00:00Z

Links: CVE-2024-36018 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36018", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.155Z", "datePublished": "2024-05-30T14:59:42.091Z", "dateUpdated": "2024-12-19T09:00:37.356Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:00:37.356Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/uvmm: fix addr/range calcs for remap operations\n\ndEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8\nwas causing a remap operation like the below.\n\nop_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000\nop_remap: next:\nop_remap: unmap: 0000003fffed0000 0000000000100000 0\nop_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000\n\nThis was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000\nwhich was corrupting the pagetables and oopsing the kernel.\n\nFixes the prev + unmap range calcs to use start/end and map back to addr/range."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/nouveau/nouveau_uvmm.c"], "versions": [{"version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "692a51bebf4552bdf0a79ccd68d291182a26a569", "status": "affected", "versionType": "git"}, {"version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "0c16020d2b69a602c8ae6a1dd2aac9a3023249d6", "status": "affected", "versionType": "git"}, {"version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "be141849ec00ef39935bf169c0f194ac70bf85ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/nouveau/nouveau_uvmm.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.26", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.5", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569"}, {"url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6"}, {"url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce"}], "title": "nouveau/uvmm: fix addr/range calcs for remap operations", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T18:34:51.763969Z", "id": "CVE-2024-36018", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:35:02.091Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.600Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.600Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36018", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-06T18:34:51.763969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:34:57.767Z"}}], "cna": {"title": "nouveau/uvmm: fix addr/range calcs for remap operations", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "692a51bebf4552bdf0a79ccd68d291182a26a569", "versionType": "git"}, {"status": "affected", "version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "0c16020d2b69a602c8ae6a1dd2aac9a3023249d6", "versionType": "git"}, {"status": "affected", "version": "b88baab828713ce0b49b185444b2ee83bed373a8", "lessThan": "be141849ec00ef39935bf169c0f194ac70bf85ce", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/nouveau/nouveau_uvmm.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.6"}, {"status": "unaffected", "version": "0", "lessThan": "6.6", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.26", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.5", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/nouveau/nouveau_uvmm.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569"}, {"url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6"}, {"url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/uvmm: fix addr/range calcs for remap operations\n\ndEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8\nwas causing a remap operation like the below.\n\nop_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000\nop_remap: next:\nop_remap: unmap: 0000003fffed0000 0000000000100000 0\nop_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000\n\nThis was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000\nwhich was corrupting the pagetables and oopsing the kernel.\n\nFixes the prev + unmap range calcs to use start/end and map back to addr/range."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:00:37.356Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36018", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:00:37.356Z", "dateReserved": "2024-05-17T13:50:33.155Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T14:59:42.091Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/uvmm: fix addr/range calcs for remap operations\n\ndEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8\nwas causing a remap operation like the below.\n\nop_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000\nop_remap: next:\nop_remap: unmap: 0000003fffed0000 0000000000100000 0\nop_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000\n\nThis was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000\nwhich was corrupting the pagetables and oopsing the kernel.\n\nFixes the prev + unmap range calcs to use start/end and map back to addr/range."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nouveau/uvmm: corrige los c\u00e1lculos de addr/range para operaciones de reasignaci\u00f3n dEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8 estaba provocando una operaci\u00f3n de reasignaci\u00f3n como la siguiente. OP_REMAP: Prev: 0000003FFED0000 00000000000F0000 0000000000A5ABD18A 0000000000000000 OP_REMAP: SIGUIEN 0000000000000E0000 Esto dio como resultado una operaci\u00f3n de UNMAP desde 0x3fffed0000+0xf0000, 0x100000, que corromp\u00eda los pagetables y se agotaba el n\u00facleo. Corrige los c\u00e1lculos de rango anterior + desasignar para usar inicio/fin y volver a asignar a direcci\u00f3n/rango."}], "id": "CVE-2024-36018", "lastModified": "2024-11-21T09:21:26.853", "metrics": {}, "published": "2024-05-30T15:15:48.950", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/0c16020d2b69a602c8ae6a1dd2aac9a3023249d6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/692a51bebf4552bdf0a79ccd68d291182a26a569"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/be141849ec00ef39935bf169c0f194ac70bf85ce"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nouveau/uvmm: fix addr/range calcs for remap operations", "id": "2284404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284404"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-119", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnouveau/uvmm: fix addr/range calcs for remap operations\ndEQP-VK.sparse_resources.image_rebind.2d_array.r64i.128_128_8\nwas causing a remap operation like the below.\nop_remap: prev: 0000003fffed0000 00000000000f0000 00000000a5abd18a 0000000000000000\nop_remap: next:\nop_remap: unmap: 0000003fffed0000 0000000000100000 0\nop_map: map: 0000003ffffc0000 0000000000010000 000000005b1ba33c 00000000000e0000\nThis was resulting in an unmap operation from 0x3fffed0000+0xf0000, 0x100000\nwhich was corrupting the pagetables and oopsing the kernel.\nFixes the prev + unmap range calcs to use start/end and map back to addr/range."], "name": "CVE-2024-36018", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36018\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36018\nhttps://lore.kernel.org/linux-cve-announce/2024053040-CVE-2024-36018-d6b8@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 6.6.26, kernel 6.8.5, kernel 6.9"}