{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-45025",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-08-21T05:34:56.684Z",
        "datePublished": "2024-09-11T15:13:57.732Z",
        "dateUpdated": "2024-09-29T15:47:10.206Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-09-15T17:57:14.524Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE\n\ncopy_fd_bitmaps(new, old, count) is expected to copy the first\ncount/BITS_PER_LONG bits from old->full_fds_bits[] and fill\nthe rest with zeroes.  What it does is copying enough words\n(BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest.\nThat works fine, *if* all bits past the cutoff point are\nclear.  Otherwise we are risking garbage from the last word\nwe'd copied.\n\nFor most of the callers that is true - expand_fdtable() has\ncount equal to old->max_fds, so there's no open descriptors\npast count, let alone fully occupied words in ->open_fds[],\nwhich is what bits in ->full_fds_bits[] correspond to.\n\nThe other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds),\nwhich is the smallest multiple of BITS_PER_LONG that covers all\nopened descriptors below max_fds.  In the common case (copying on\nfork()) max_fds is ~0U, so all opened descriptors will be below\nit and we are fine, by the same reasons why the call in expand_fdtable()\nis safe.\n\nUnfortunately, there is a case where max_fds is less than that\nand where we might, indeed, end up with junk in ->full_fds_bits[] -\nclose_range(from, to, CLOSE_RANGE_UNSHARE) with\n\t* descriptor table being currently shared\n\t* 'to' being above the current capacity of descriptor table\n\t* 'from' being just under some chunk of opened descriptors.\nIn that case we end up with observably wrong behaviour - e.g. spawn\na child with CLONE_FILES, get all descriptors in range 0..127 open,\nthen close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending\nup with descriptor #128, despite #64 being observably not open.\n\nThe minimally invasive fix would be to deal with that in dup_fd().\nIf this proves to add measurable overhead, we can go that way, but\nlet's try to fix copy_fd_bitmaps() first.\n\n* new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size).\n* make copy_fd_bitmaps() take the bitmap size in words, rather than\nbits; it's 'count' argument is always a multiple of BITS_PER_LONG,\nso we are not losing any information, and that way we can use the\nsame helper for all three bitmaps - compiler will see that count\nis a multiple of BITS_PER_LONG for the large ones, so it'll generate\nplain memcpy()+memset().\n\nReproducer added to tools/testing/selftests/core/close_range_test.c"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/file.c",
                        "include/linux/bitmap.h",
                        "tools/testing/selftests/core/close_range_test.c"
                    ],
                    "versions": [
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "ee501f827f3d",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "e807487a1d5f",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "fe5bf1488170",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "5053581fe5df",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "8cad3b2b3ab8",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "dd72ae8b0fce",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "c69d18f0ac70",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "9a2fa1472083",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "fs/file.c",
                        "include/linux/bitmap.h",
                        "tools/testing/selftests/core/close_range_test.c"
                    ],
                    "versions": [
                        {
                            "version": "4.19.321",
                            "lessThanOrEqual": "4.19.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.4.283",
                            "lessThanOrEqual": "5.4.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.225",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.166",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.107",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.48",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.10.7",
                            "lessThanOrEqual": "6.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.11",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/ee501f827f3db02d4e599afbbc1a7f8b792d05d7"
                },
                {
                    "url": "https://git.kernel.org/stable/c/e807487a1d5fd5d941f26578ae826ca815dbfcd6"
                },
                {
                    "url": "https://git.kernel.org/stable/c/fe5bf14881701119aeeda7cf685f3c226c7380df"
                },
                {
                    "url": "https://git.kernel.org/stable/c/5053581fe5dfb09b58c65dd8462bf5dea71f41ff"
                },
                {
                    "url": "https://git.kernel.org/stable/c/8cad3b2b3ab81ca55f37405ffd1315bcc2948058"
                },
                {
                    "url": "https://git.kernel.org/stable/c/dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a"
                },
                {
                    "url": "https://git.kernel.org/stable/c/c69d18f0ac7060de724511537810f10f29a27958"
                },
                {
                    "url": "https://git.kernel.org/stable/c/9a2fa1472083580b6c66bdaf291f591e1170123a"
                }
            ],
            "title": "fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-09-29T15:46:55.387258Z",
                                "id": "CVE-2024-45025",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-29T15:47:10.206Z"
                }
            }
        ]
    }
}