{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-35902", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.114Z", "datePublished": "2024-05-19T08:34:55.692Z", "dateUpdated": "2025-05-04T12:56:02.708Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:56:02.708Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rds/rdma.c"], "versions": [{"version": "786854141057751bc08eb26f1b02e97c1631c8f4", "lessThan": "d275de8ea7be3a453629fddae41d4156762e814c", "status": "affected", "versionType": "git"}, {"version": "997efea2bf3a4adb96c306b9ad6a91442237bf5b", "lessThan": "bcd46782e2ec3825d10c1552fcb674d491cc09f9", "status": "affected", "versionType": "git"}, {"version": "9dfc15a10dfd44f8ff7f27488651cb5be6af83c2", "lessThan": "cfb786b03b03c5ff38882bee38525eb9987e4d14", "status": "affected", "versionType": "git"}, {"version": "b562ebe21ed9adcf42242797dd6cb75beef12bf0", "lessThan": "d49fac38479bfdaec52b3ea274d290c47a294029", "status": "affected", "versionType": "git"}, {"version": "998fd719e6d6468b930ac0c44552ea9ff8b07b80", "lessThan": "cbaac2e5488ed54833897264a5ffb2a341a9f196", "status": "affected", "versionType": "git"}, {"version": "2b505d05280739ce31d5708da840f42df827cb85", "lessThan": "92309bed3c5fbe2ccd4c45056efd42edbd06162d", "status": "affected", "versionType": "git"}, {"version": "c055fc00c07be1f0df7375ab0036cebd1106ed38", "lessThan": "6794090c742008c53b344b35b021d4a3093dc50a", "status": "affected", "versionType": "git"}, {"version": "c055fc00c07be1f0df7375ab0036cebd1106ed38", "lessThan": "62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", "status": "affected", "versionType": "git"}, {"version": "907761307469adecb02461a14120e9a1812a5fb1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/rds/rdma.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.312", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.274", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.215", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.85", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.26", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.5", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.310", "versionEndExcluding": "4.19.312"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.272", "versionEndExcluding": "5.4.274"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.213", "versionEndExcluding": "5.10.215"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.152", "versionEndExcluding": "5.15.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.82", "versionEndExcluding": "6.1.85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.22", "versionEndExcluding": "6.6.26"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.8.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"}, {"url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"}, {"url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"}, {"url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"}, {"url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"}, {"url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"}, {"url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"}, {"url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"}], "title": "net/rds: fix possible cp null dereference", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T14:09:14.303997Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:18.553Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.670Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.670Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-20T14:09:14.303997Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.764Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "net/rds: fix possible cp null dereference", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "786854141057751bc08eb26f1b02e97c1631c8f4", "lessThan": "d275de8ea7be3a453629fddae41d4156762e814c", "versionType": "git"}, {"status": "affected", "version": "997efea2bf3a4adb96c306b9ad6a91442237bf5b", "lessThan": "bcd46782e2ec3825d10c1552fcb674d491cc09f9", "versionType": "git"}, {"status": "affected", "version": "9dfc15a10dfd44f8ff7f27488651cb5be6af83c2", "lessThan": "cfb786b03b03c5ff38882bee38525eb9987e4d14", "versionType": "git"}, {"status": "affected", "version": "b562ebe21ed9adcf42242797dd6cb75beef12bf0", "lessThan": "d49fac38479bfdaec52b3ea274d290c47a294029", "versionType": "git"}, {"status": "affected", "version": "998fd719e6d6468b930ac0c44552ea9ff8b07b80", "lessThan": "cbaac2e5488ed54833897264a5ffb2a341a9f196", "versionType": "git"}, {"status": "affected", "version": "2b505d05280739ce31d5708da840f42df827cb85", "lessThan": "92309bed3c5fbe2ccd4c45056efd42edbd06162d", "versionType": "git"}, {"status": "affected", "version": "c055fc00c07be1f0df7375ab0036cebd1106ed38", "lessThan": "6794090c742008c53b344b35b021d4a3093dc50a", "versionType": "git"}, {"status": "affected", "version": "c055fc00c07be1f0df7375ab0036cebd1106ed38", "lessThan": "62fc3357e079a07a22465b9b6ef71bb6ea75ee4b", "versionType": "git"}], "programFiles": ["net/rds/rdma.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.312", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.274", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.215", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.154", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.85", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.26", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.5", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/rds/rdma.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"}, {"url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"}, {"url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"}, {"url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"}, {"url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"}, {"url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"}, {"url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"}, {"url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.312", "versionStartIncluding": "4.19.310"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.274", "versionStartIncluding": "5.4.272"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.10.213"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.15.152"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.85", "versionStartIncluding": "6.1.82"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.26", "versionStartIncluding": "6.6.22"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "6.7.10"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:08:00.940Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35902", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:08:00.940Z", "dateReserved": "2024-05-17T13:50:33.114Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-19T08:34:55.692Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D02AF2B3-13B5-4802-9DC1-087A7193F503", "versionEndExcluding": "4.19.312", "versionStartIncluding": "4.19.310", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "187C950F-6E78-4831-93AF-B7A15212714E", "versionEndExcluding": "5.7.274", "versionStartIncluding": "5.4.272", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "62166690-37B3-4D16-B6A3-E027256C41CD", "versionEndExcluding": "5.10.215", "versionStartIncluding": "5.10.213", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1282257-6354-4F74-8133-39F1EA6BF816", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.15.152", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5715EDF1-F50B-4AED-AE96-D3F02AC1F58C", "versionEndExcluding": "6.1.85", "versionStartIncluding": "6.1.82", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7F6F8E6-ADCB-4F7D-953C-660986B2B9CC", "versionEndExcluding": "6.6.26", "versionStartIncluding": "6.6.22", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C0AD733-A1E8-4B50-9321-F886337D5B40", "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.7.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/rds: corrige la posible desreferencia nula de cp cp podr\u00eda ser nulo, llamar a cp->cp_conn producir\u00eda una desreferencia nula [Simon Horman agrega:] An\u00e1lisis: * cp es un par\u00e1metro de __rds_rdma_map y no es reasignado. * Los siguientes sitios de llamadas pasan un argumento cp NULL a __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Antes del c\u00f3digo anterior, lo siguiente supone que cp puede ser NULL (lo cual es indicativo, pero podr\u00eda ser innecesario) trans_private = rs ->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * El c\u00f3digo modificado por este parche est\u00e1 custodiado por IS_ERR(trans_private), donde trans_private se asigna seg\u00fan el punto anterior de este an\u00e1lisis. La \u00fanica implementaci\u00f3n de get_mr que pude localizar es rds_ib_get_mr() que puede devolver un ERR_PTR si el argumento conn (cuarto) es NULL. * ret est\u00e1 establecido en PTR_ERR(trans_private). rds_ib_get_mr puede devolver ERR_PTR(-ENODEV) si el argumento de conexi\u00f3n (cuarto) es NULL. Por lo tanto, ret puede ser -ENODEV, en cuyo caso se ejecutar\u00e1 el c\u00f3digo en cuesti\u00f3n. Conclusi\u00f3n: * cp puede ser NULL en el punto donde este parche agrega una verificaci\u00f3n; este parche parece solucionar un posible error "}], "id": "CVE-2024-35902", "lastModified": "2024-12-30T19:47:46.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-19T09:15:11.037", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/rds: fix possible cp null dereference", "id": "2281660", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281660"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/rds: fix possible cp null dereference\ncp might be null, calling cp->cp_conn would produce null dereference\n[Simon Horman adds:]\nAnalysis:\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n- rds_get_mr()\n- rds_get_mr_for_dest\n* Prior to the code above, the following assumes that cp may be NULL\n(which is indicative, but could itself be unnecessary)\ntrans_private = rs->rs_transport->get_mr(\nsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\nargs->vec.addr, args->vec.bytes,\nneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n* The code modified by this patch is guarded by IS_ERR(trans_private),\nwhere trans_private is assigned as per the previous point in this analysis.\nThe only implementation of get_mr that I could locate is rds_ib_get_mr()\nwhich can return an ERR_PTR if the conn (4th) argument is NULL.\n* ret is set to PTR_ERR(trans_private).\nrds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\nThus ret may be -ENODEV in which case the code in question will execute.\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\nthis patch does seem to address a possible bug"], "name": "CVE-2024-35902", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35902\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35902\nhttps://lore.kernel.org/linux-cve-announce/2024051952-CVE-2024-35902-a288@gregkh/T"], "threat_severity": "Moderate"}

{}