CVE-2024-40947: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
AI Analysis
Technical Summary
CVE-2024-40947 is a vulnerability in the Linux kernel's Integrity Measurement Architecture (IMA) subsystem, specifically related to the handling of Read-Copy-Update (RCU) read-side critical sections. The flaw arises from a recent commit (c7423dbdbc9e) that introduced a call to ima_lsm_copy_rule within an RCU read-side critical section. This call performs a kmalloc with GFP_KERNEL allocation, which can sleep, violating the constraints of RCU read-side critical sections on non-PREEMPT kernels. Sleeping in this context can cause synchronize_rcu() to return prematurely, breaking RCU protection and potentially leading to a use-after-free (UAF) condition. The vulnerability manifests as a kernel panic due to a NULL pointer dereference in the ima_match_policy function, which attempts to access a freed or invalid memory entry. The root cause is a race condition between two threads: one holding an RCU read lock and performing a kmalloc that sleeps, and another thread freeing the memory entry. This results in the first thread accessing a stale pointer, causing system instability or crash. The fix involves converting kmalloc calls within RCU read-side critical sections to use GFP_ATOMIC, which does not sleep, thus preserving RCU guarantees. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes and is particularly relevant for systems using IMA and running non-PREEMPT kernels. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and reliability of Linux-based systems, especially those running kernel versions affected by this flaw and utilizing IMA for security policy enforcement. Systems such as servers, cloud infrastructure, container hosts (e.g., Kubernetes nodes), and embedded devices relying on Linux kernels could experience unexpected kernel panics leading to denial of service (DoS). This can disrupt critical business operations, cause downtime, and potentially impact services that require high availability. Additionally, the vulnerability could be leveraged in multi-tenant environments to destabilize shared infrastructure. Although no direct code execution or privilege escalation is indicated, the resulting DoS and system crashes can have cascading effects on confidentiality and integrity by interrupting security monitoring and enforcement mechanisms. Given the widespread use of Linux in European data centers, telecom infrastructure, and industrial control systems, the impact could be broad if unpatched systems are exploited or triggered inadvertently.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-40947, ensuring that all affected systems are patched promptly. Specifically, kernel versions incorporating the commit that replaces GFP_KERNEL with GFP_ATOMIC in RCU read-side critical sections should be deployed. For environments where immediate patching is not feasible, organizations should consider disabling IMA if it is not critical to their security posture, as this may mitigate the risk of triggering the vulnerability. Additionally, monitoring kernel logs for signs of the described panic or NULL pointer dereference can help detect attempts to exploit or inadvertently trigger the issue. Organizations should also review their kernel configuration to prefer PREEMPT or PREEMPT_RT kernels where possible, as these may reduce the risk of sleeping in RCU critical sections. Finally, implementing robust system monitoring and automated recovery mechanisms can help minimize downtime caused by kernel panics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40947: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
AI-Powered Analysis
Technical Analysis
CVE-2024-40947 is a vulnerability in the Linux kernel's Integrity Measurement Architecture (IMA) subsystem, specifically related to the handling of Read-Copy-Update (RCU) read-side critical sections. The flaw arises from a recent commit (c7423dbdbc9e) that introduced a call to ima_lsm_copy_rule within an RCU read-side critical section. This call performs a kmalloc with GFP_KERNEL allocation, which can sleep, violating the constraints of RCU read-side critical sections on non-PREEMPT kernels. Sleeping in this context can cause synchronize_rcu() to return prematurely, breaking RCU protection and potentially leading to a use-after-free (UAF) condition. The vulnerability manifests as a kernel panic due to a NULL pointer dereference in the ima_match_policy function, which attempts to access a freed or invalid memory entry. The root cause is a race condition between two threads: one holding an RCU read lock and performing a kmalloc that sleeps, and another thread freeing the memory entry. This results in the first thread accessing a stale pointer, causing system instability or crash. The fix involves converting kmalloc calls within RCU read-side critical sections to use GFP_ATOMIC, which does not sleep, thus preserving RCU guarantees. This vulnerability affects multiple Linux kernel versions identified by specific commit hashes and is particularly relevant for systems using IMA and running non-PREEMPT kernels. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the stability and reliability of Linux-based systems, especially those running kernel versions affected by this flaw and utilizing IMA for security policy enforcement. Systems such as servers, cloud infrastructure, container hosts (e.g., Kubernetes nodes), and embedded devices relying on Linux kernels could experience unexpected kernel panics leading to denial of service (DoS). This can disrupt critical business operations, cause downtime, and potentially impact services that require high availability. Additionally, the vulnerability could be leveraged in multi-tenant environments to destabilize shared infrastructure. Although no direct code execution or privilege escalation is indicated, the resulting DoS and system crashes can have cascading effects on confidentiality and integrity by interrupting security monitoring and enforcement mechanisms. Given the widespread use of Linux in European data centers, telecom infrastructure, and industrial control systems, the impact could be broad if unpatched systems are exploited or triggered inadvertently.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-40947, ensuring that all affected systems are patched promptly. Specifically, kernel versions incorporating the commit that replaces GFP_KERNEL with GFP_ATOMIC in RCU read-side critical sections should be deployed. For environments where immediate patching is not feasible, organizations should consider disabling IMA if it is not critical to their security posture, as this may mitigate the risk of triggering the vulnerability. Additionally, monitoring kernel logs for signs of the described panic or NULL pointer dereference can help detect attempts to exploit or inadvertently trigger the issue. Organizations should also review their kernel configuration to prefer PREEMPT or PREEMPT_RT kernels where possible, as these may reduce the risk of sleeping in RCU critical sections. Finally, implementing robust system monitoring and automated recovery mechanisms can help minimize downtime caused by kernel panics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.589Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddee2
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:24:38 AM
Last updated: 8/16/2025, 12:44:49 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.