CVE-2024-56584

MEDIUM

Linux Kernel 5.1-6.1.119, 6.2-6.6.65, 6.7-6.12.4 - Denial of Service via io_uring xa_store Allocation Failure

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/tctx: work around xa_store() allocation error issue syzbot triggered the following WARN_ON: WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51 which is the WARN_ON_ONCE(!xa_empty(&tctx->xa)); sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray. Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found.

References (7)

Core 7

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html

https://git.kernel.org/stable/c/e05c070b401f6365c503e2b59f091331965c4fb9

https://git.kernel.org/stable/c/3a84fa784710990964c1e35df743851ab2863898

Patch

https://git.kernel.org/stable/c/94ad56f61b873ffeebcc620d451eacfbdf9d40f0

Patch

https://git.kernel.org/stable/c/42882b583095dcf747da6e3af1daeff40e27033e

Patch

https://git.kernel.org/stable/c/d5b2ddf1f90c7248eff9630b95895c8950f2f36d

Patch

https://git.kernel.org/stable/c/7eb75ce7527129d7f1fee6951566af409a37a1c4

Scores

CVSS v3 5.5

EPSS 0.0023

EPSS Percentile 13.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (18)

linux/Kernel 5.1.0 - 6.1.120linux

linux/Kernel 6.2.0 - 6.6.66linux

linux/Kernel 6.7.0 - 6.12.5linux

Linux/Linux < 5.1

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - 3a84fa784710990964c1e35df743851ab2863898

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - 42882b583095dcf747da6e3af1daeff40e27033e

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - 7eb75ce7527129d7f1fee6951566af409a37a1c4

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - 94ad56f61b873ffeebcc620d451eacfbdf9d40f0

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - d5b2ddf1f90c7248eff9630b95895c8950f2f36d

Linux/Linux 2b188cc1bb857a9d4701ae59aa7768b5124e262e - e05c070b401f6365c503e2b59f091331965c4fb9

... and 8 more

Published Dec 27, 2024

Tracked Since Feb 18, 2026