CVE-2024-57838
Published: 11 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies.
Security Summary
CVE-2024-57838 is a vulnerability in the Linux kernel's s390 architecture entry code, specifically related to interrupt request (IRQ) handling and stack trace management in the stack depot. The issue arises because the .irqentry.text section is empty on s390, preventing the stack depot from filtering out IRQ context code paths using in_irqentry_text(). This leads to ineffective stack trace de-duplication, an explosion of saved stack traces from various interrupt points, and eventual exhaustion of the stack depot's capacity, triggering warnings such as "Stack depot reached limit capacity" and kernel warnings in depot_alloc_stack(), particularly when PREEMPT and KASAN are enabled.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability to achieve high confidentiality impact (C:H) and high availability impact (A:H) with no integrity impact (I:N), as indicated by the CVSS 3.1 score of 7.1. Exploitation involves triggering numerous asynchronous interrupts (IO/EXT), which overwhelm the stack depot due to poor filtering, potentially causing denial-of-service through resource exhaustion and kernel warnings or instability.
Kernel patches referenced in the advisories resolve the issue by moving IO/EXT interrupt handlers from .kprobes.text to the .irqentry.text section for asynchronous interrupts only, while updating the kprobes blacklist to include .irqentry.text. This enables proper filtering without affecting synchronous program checks or rare machine checks. Specific commits include 1af22528fee8, 45c9f2b856a0, 473ffae30301, and 5bb7a2c3afcf, with Debian LTS announcing backports for affected stable kernels. Security practitioners should update to patched kernels to mitigate stack depot exhaustion.
Details
- CWE(s)