CVE-2024-57930 (GCVE-0-2024-57930)
Vulnerability from cvelistv5
Published
2025-01-21 12:01
Modified
2025-11-03 20:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Have process_string() also allow arrays
In order to catch a common bug where a TRACE_EVENT() TP_fast_assign()
assigns an address of an allocated string to the ring buffer and then
references it in TP_printk(), which can be executed hours later when the
string is free, the function test_event_printk() runs on all events as
they are registered to make sure there's no unwanted dereferencing.
It calls process_string() to handle cases in TP_printk() format that has
"%s". It returns whether or not the string is safe. But it can have some
false positives.
For instance, xe_bo_move() has:
TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
__entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
xe_mem_type_to_name[__entry->old_placement],
xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))
Where the "%s" references into xe_mem_type_to_name[]. This is an array of
pointers that should be safe for the event to access. Instead of flagging
this as a bad reference, if a reference points to an array, where the
record field is the index, consider it safe.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:55:59.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3bcdc9039a6e9e6e47ed689a37b8d57894a3c571",
"status": "affected",
"version": "85d7635d54d75a2589f28583dc17feedc3aa4ad6",
"versionType": "git"
},
{
"lessThan": "631b1e09e213c86d5a4ce23d45c81af473bb0ac7",
"status": "affected",
"version": "f3ff759ec636b4094b8eb2c3801e4e6c97a6b712",
"versionType": "git"
},
{
"lessThan": "a64e5295ebc4afdefe69cdf16cc286a60ff8ba4b",
"status": "affected",
"version": "2f6ad0b613cd45cca48e6eb04f65351db018afb0",
"versionType": "git"
},
{
"lessThan": "92bd18c74624e5eb9f96e70076aa46293f4b626f",
"status": "affected",
"version": "683eccacc02d2eb25d1c34b8fb0363fcc7e08f64",
"versionType": "git"
},
{
"lessThan": "afc6717628f959941d7b33728570568b4af1c4b8",
"status": "affected",
"version": "65a25d9f7ac02e0cf361356e834d1c71d36acca9",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.124",
"status": "affected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThan": "6.6.70",
"status": "affected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThan": "6.12.9",
"status": "affected",
"version": "6.12.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.124",
"versionStartIncluding": "6.1.122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.70",
"versionStartIncluding": "6.6.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"versionStartIncluding": "6.12.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have process_string() also allow arrays\n\nIn order to catch a common bug where a TRACE_EVENT() TP_fast_assign()\nassigns an address of an allocated string to the ring buffer and then\nreferences it in TP_printk(), which can be executed hours later when the\nstring is free, the function test_event_printk() runs on all events as\nthey are registered to make sure there\u0027s no unwanted dereferencing.\n\nIt calls process_string() to handle cases in TP_printk() format that has\n\"%s\". It returns whether or not the string is safe. But it can have some\nfalse positives.\n\nFor instance, xe_bo_move() has:\n\n TP_printk(\"move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s\",\n __entry-\u003emove_lacks_source ? \"yes\" : \"no\", __entry-\u003ebo, __entry-\u003esize,\n xe_mem_type_to_name[__entry-\u003eold_placement],\n xe_mem_type_to_name[__entry-\u003enew_placement], __get_str(device_id))\n\nWhere the \"%s\" references into xe_mem_type_to_name[]. This is an array of\npointers that should be safe for the event to access. Instead of flagging\nthis as a bad reference, if a reference points to an array, where the\nrecord field is the index, consider it safe."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:06:53.594Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3bcdc9039a6e9e6e47ed689a37b8d57894a3c571"
},
{
"url": "https://git.kernel.org/stable/c/631b1e09e213c86d5a4ce23d45c81af473bb0ac7"
},
{
"url": "https://git.kernel.org/stable/c/a64e5295ebc4afdefe69cdf16cc286a60ff8ba4b"
},
{
"url": "https://git.kernel.org/stable/c/92bd18c74624e5eb9f96e70076aa46293f4b626f"
},
{
"url": "https://git.kernel.org/stable/c/afc6717628f959941d7b33728570568b4af1c4b8"
}
],
"title": "tracing: Have process_string() also allow arrays",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57930",
"datePublished": "2025-01-21T12:01:27.807Z",
"dateReserved": "2025-01-19T11:50:08.376Z",
"dateUpdated": "2025-11-03T20:55:59.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…