{"id":"CVE-2024-46847","summary":"mm: vmalloc: ensure vmap_block is initialised before adding to queue","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmalloc: ensure vmap_block is initialised before adding to queue\n\nCommit 8c61291fd850 (\"mm: fix incorrect vbq reference in\npurge_fragmented_block\") extended the 'vmap_block' structure to contain a\n'cpu' field which is set at allocation time to the id of the initialising\nCPU.\n\nWhen a new 'vmap_block' is being instantiated by new_vmap_block(), the\npartially initialised structure is added to the local 'vmap_block_queue'\nxarray before the 'cpu' field has been initialised.  If another CPU is\nconcurrently walking the xarray (e.g.  via vm_unmap_aliases()), then it\nmay perform an out-of-bounds access to the remote queue thanks to an\nuninitialised index.\n\nThis has been observed as UBSAN errors in Android:\n\n | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\n |\n | Call trace:\n |  purge_fragmented_block+0x204/0x21c\n |  _vm_unmap_aliases+0x170/0x378\n |  vm_unmap_aliases+0x1c/0x28\n |  change_memory_common+0x1dc/0x26c\n |  set_memory_ro+0x18/0x24\n |  module_enable_ro+0x98/0x238\n |  do_init_module+0x1b0/0x310\n\nMove the initialisation of 'vb-\u003ecpu' in new_vmap_block() ahead of the\naddition to the xarray.","modified":"2026-03-20T12:37:57.713961Z","published":"2024-09-27T12:39:39.550Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46847.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1b2770e27d6d952f491bb362b657e5b2713c3efd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e3de7947c751509027d26b679ecd243bc9db255"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6cf74e0e5e3ab5d5c9defb4c73dad54d52224671"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46847.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46847"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"88e0ad40d08a73a74c597e69f4cd2d1fba3838b5"},{"fixed":"1b2770e27d6d952f491bb362b657e5b2713c3efd"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8c61291fd8500e3b35c7ec0c781b273d8cc96cde"},{"fixed":"6cf74e0e5e3ab5d5c9defb4c73dad54d52224671"},{"fixed":"3e3de7947c751509027d26b679ecd243bc9db255"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"9983b81579be3403f5cc44b11f66c6c8bea6547f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46847.json"}}],"schema_version":"1.7.5"}