CVE-2024-38601: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated---
AI Analysis
Technical Summary
CVE-2024-38601 addresses a race condition vulnerability in the Linux kernel's ring buffer implementation, specifically within the tracing subsystem. The ring buffer is a core data structure used for kernel tracing, storing trace events in a circular buffer. The vulnerability arises from a race between concurrent reader operations and buffer resize checks. In detail, the function rb_get_reader_page() updates pointers in a doubly-linked list representing the ring buffer pages using atomic compare-and-exchange (cmpxchg) operations. However, after a successful cmpxchg, the code updates the backward link (prev pointer) separately, temporarily leaving the doubly-linked list in an inconsistent state where the forward and backward pointers do not match. Concurrently, the ring_buffer_resize() function can be invoked, which calls rb_check_pages() to verify the consistency of the ring buffer pages. If rb_check_pages() detects the inconsistency caused by the race, it stops further tracing and triggers a kernel warning and trace. This can lead to kernel warnings, trace stoppages, and potentially unstable kernel behavior. The vulnerability window is small due to the timing required to hit the race, but recent kernel changes that stop the current tracer when resizing the buffer increase the likelihood of encountering this issue. The vulnerability does not appear to allow direct privilege escalation or code execution but can cause denial of service (DoS) conditions by crashing or destabilizing kernel tracing. The issue affects Linux kernel versions identified by the commit hash 659f451ff21315ebfeeb46b9adccee8ce1b52c25 and related builds. No known exploits are reported in the wild as of the publication date. The vulnerability is technical and subtle, requiring concurrent tracing and resizing operations to trigger the race condition. It primarily impacts systems relying heavily on kernel tracing for diagnostics or monitoring.
Potential Impact
For European organizations, the impact of CVE-2024-38601 is primarily related to system stability and reliability, especially in environments that utilize Linux kernel tracing extensively for performance monitoring, debugging, or security auditing. Organizations running Linux servers, particularly those using tracing tools like ftrace or perf that depend on the ring buffer, may experience kernel warnings, trace stoppages, or potential kernel panics leading to service interruptions. This can affect critical infrastructure, cloud service providers, and enterprises relying on Linux-based systems for operations. While the vulnerability does not directly enable privilege escalation or data breaches, the resulting denial of service could disrupt business continuity, incident response, and forensic investigations. Systems with high tracing activity or automated tracing resizing are more susceptible. The impact is more pronounced in sectors with stringent uptime requirements such as finance, telecommunications, healthcare, and public services. Additionally, organizations using customized or older Linux kernels without the fix are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future exploitation or accidental triggering during normal operations.
Mitigation Recommendations
To mitigate CVE-2024-38601, European organizations should: 1) Apply the latest Linux kernel updates that include the fix for this race condition, ensuring that the kernel version incorporates the patch addressing the ring buffer race. 2) Review and, if possible, limit the use of dynamic resizing of kernel tracing buffers during high-load or production environments to reduce the likelihood of triggering the race. 3) Monitor kernel logs for warnings related to ring_buffer.c and tracing subsystem errors to detect early signs of the issue. 4) For environments requiring extensive tracing, consider implementing controlled tracing schedules or static buffer sizes to avoid concurrent resize operations. 5) Test kernel updates in staging environments to verify stability of tracing features post-patch. 6) Employ kernel hardening and monitoring tools to detect anomalous kernel behavior that might indicate exploitation attempts or instability. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 8) Document and train system administrators on the symptoms and remediation steps related to this vulnerability to ensure rapid response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-38601: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-38601 addresses a race condition vulnerability in the Linux kernel's ring buffer implementation, specifically within the tracing subsystem. The ring buffer is a core data structure used for kernel tracing, storing trace events in a circular buffer. The vulnerability arises from a race between concurrent reader operations and buffer resize checks. In detail, the function rb_get_reader_page() updates pointers in a doubly-linked list representing the ring buffer pages using atomic compare-and-exchange (cmpxchg) operations. However, after a successful cmpxchg, the code updates the backward link (prev pointer) separately, temporarily leaving the doubly-linked list in an inconsistent state where the forward and backward pointers do not match. Concurrently, the ring_buffer_resize() function can be invoked, which calls rb_check_pages() to verify the consistency of the ring buffer pages. If rb_check_pages() detects the inconsistency caused by the race, it stops further tracing and triggers a kernel warning and trace. This can lead to kernel warnings, trace stoppages, and potentially unstable kernel behavior. The vulnerability window is small due to the timing required to hit the race, but recent kernel changes that stop the current tracer when resizing the buffer increase the likelihood of encountering this issue. The vulnerability does not appear to allow direct privilege escalation or code execution but can cause denial of service (DoS) conditions by crashing or destabilizing kernel tracing. The issue affects Linux kernel versions identified by the commit hash 659f451ff21315ebfeeb46b9adccee8ce1b52c25 and related builds. No known exploits are reported in the wild as of the publication date. The vulnerability is technical and subtle, requiring concurrent tracing and resizing operations to trigger the race condition. It primarily impacts systems relying heavily on kernel tracing for diagnostics or monitoring.
Potential Impact
For European organizations, the impact of CVE-2024-38601 is primarily related to system stability and reliability, especially in environments that utilize Linux kernel tracing extensively for performance monitoring, debugging, or security auditing. Organizations running Linux servers, particularly those using tracing tools like ftrace or perf that depend on the ring buffer, may experience kernel warnings, trace stoppages, or potential kernel panics leading to service interruptions. This can affect critical infrastructure, cloud service providers, and enterprises relying on Linux-based systems for operations. While the vulnerability does not directly enable privilege escalation or data breaches, the resulting denial of service could disrupt business continuity, incident response, and forensic investigations. Systems with high tracing activity or automated tracing resizing are more susceptible. The impact is more pronounced in sectors with stringent uptime requirements such as finance, telecommunications, healthcare, and public services. Additionally, organizations using customized or older Linux kernels without the fix are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future exploitation or accidental triggering during normal operations.
Mitigation Recommendations
To mitigate CVE-2024-38601, European organizations should: 1) Apply the latest Linux kernel updates that include the fix for this race condition, ensuring that the kernel version incorporates the patch addressing the ring buffer race. 2) Review and, if possible, limit the use of dynamic resizing of kernel tracing buffers during high-load or production environments to reduce the likelihood of triggering the race. 3) Monitor kernel logs for warnings related to ring_buffer.c and tracing subsystem errors to detect early signs of the issue. 4) For environments requiring extensive tracing, consider implementing controlled tracing schedules or static buffer sizes to avoid concurrent resize operations. 5) Test kernel updates in staging environments to verify stability of tracing features post-patch. 6) Employ kernel hardening and monitoring tools to detect anomalous kernel behavior that might indicate exploitation attempts or instability. 7) Engage with Linux distribution vendors for backported patches if using long-term support kernels. 8) Document and train system administrators on the symptoms and remediation steps related to this vulnerability to ensure rapid response.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.933Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2abf
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 11:54:34 AM
Last updated: 8/12/2025, 10:36:31 AM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.