CVE-2024-50270: mm/damon/core: avoid overflow in damon_feed_loop_next_input()
First published: Tue Nov 19 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid overflow in damon_feed_loop_next_input() damon_feed_loop_next_input() is inefficient and fragile to overflows. Specifically, 'score_goal_diff_bp' calculation can overflow when 'score' is high. The calculation is actually unnecessary at all because 'goal' is a constant of value 10,000. Calculation of 'compensation' is again fragile to overflow. Final calculation of return value for under-achiving case is again fragile to overflow when the current score is under-achieving the target. Add two corner cases handling at the beginning of the function to make the body easier to read, and rewrite the body of the function to avoid overflows and the unnecessary bp value calcuation.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=6.8<6.11.8 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| Linux Kernel | =6.12-rc3 | |
| Linux Kernel | =6.12-rc4 | |
| Linux Kernel | =6.12-rc5 | |
| Linux Kernel | =6.12-rc6 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/2d339a1f0f16ff5dea58e612ff336f0be0d041e9
- https://git.kernel.org/stable/c/4401e9d10ab0281a520b9f8c220f30f60b5c248f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50270
- https://nvd.nist.gov/vuln/detail/CVE-2024-50270
- https://launchpad.net/bugs/cve/CVE-2024-50270
- https://security-tracker.debian.org/tracker/CVE-2024-50270
- https://ubuntu.com/security/CVE-2024-50270
- https://git.kernel.org/linus/4401e9d10ab0281a520b9f8c220f30f60b5c248f
Frequently Asked Questions
What is the severity of CVE-2024-50270?
CVE-2024-50270 is considered a medium severity vulnerability due to the potential for overflow in memory management functions.
How do I fix CVE-2024-50270?
To fix CVE-2024-50270, update the Linux kernel to version 6.12-rc7 or later as it contains the necessary patches.
What versions of the Linux kernel are affected by CVE-2024-50270?
CVE-2024-50270 affects Linux kernel versions 6.8 through 6.11.8 and 6.12-rc1 to 6.12-rc6.
Is CVE-2024-50270 exploitable in production systems?
Yes, CVE-2024-50270 could potentially be exploited in production systems if they are running affected versions.
What components of the Linux kernel are impacted by CVE-2024-50270?
CVE-2024-50270 impacts the memory management component in Linux, specifically the damon subsystem.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/source
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.8
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- version/linux kernel/6.12-rc3
- version/linux kernel/6.12-rc4
- version/linux kernel/6.12-rc5
- version/linux kernel/6.12-rc6
- package-manager/debian