CVE-2024-57838: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies.
AI Analysis
Technical Summary
CVE-2024-57838 addresses a vulnerability in the Linux kernel specifically related to the s390 architecture's handling of interrupt request (IRQ) entries and stack trace filtering. The Linux kernel uses a stack depot mechanism to store stack traces efficiently by filtering out redundant or irrelevant stack traces, particularly those occurring within interrupt contexts. This filtering relies on identifying functions within the .irqentry.text and .softirqentry.text sections to mark the boundaries of IRQ contexts. While the common code places __do_softirq() into the .softirqentry.text section, the .irqentry.text section is architecture-specific. On the s390 architecture, this section was empty, preventing proper filtering and de-duplication of stack traces originating from IRQ contexts. This deficiency leads to an excessive accumulation of stack traces, eventually exhausting the stack depot's capacity and triggering warnings such as "Stack depot reached limit capacity" and kernel warnings under configurations with PREEMPT and KASAN enabled. The fix involves moving IO/EXT interrupt handlers from the .kprobes.text section into the .irqentry.text section and updating the kprobes blacklist accordingly. This change applies only to asynchronous interrupts, preserving synchronous program checks and rare machine checks contexts. Additionally, the IRQ entries filtering logic is optionally used in the ftrace function graph, which benefits from the improved filtering. This vulnerability is primarily a kernel internal issue affecting debugging and tracing infrastructure rather than a direct security exploit vector. No known exploits are reported in the wild, and the vulnerability does not appear to allow privilege escalation, code execution, or denial of service directly. However, the improper filtering can cause resource exhaustion warnings and potentially impact kernel debugging and monitoring reliability on affected s390 systems.
Potential Impact
For European organizations, the impact of CVE-2024-57838 is largely limited to environments running the Linux kernel on s390 architecture hardware, which is IBM's mainframe platform. Such systems are typically used in large enterprises, financial institutions, government agencies, and critical infrastructure operators that require high reliability and robust mainframe capabilities. The vulnerability does not directly compromise system confidentiality, integrity, or availability but can degrade kernel debugging and tracing capabilities by causing stack depot exhaustion warnings. This may hinder incident response, forensic analysis, and kernel debugging efforts, potentially delaying detection and resolution of other issues. Organizations relying on PREEMPT and KASAN enabled kernels for enhanced debugging and security hardening could experience increased noise or false alarms. While the vulnerability does not present a direct attack vector, the reduced reliability of kernel tracing could indirectly affect security monitoring and operational stability in critical mainframe environments. The limited scope to s390 architecture means the majority of Linux deployments on x86_64 or ARM architectures in Europe are unaffected. However, organizations with mainframe deployments should prioritize patching to maintain kernel observability and system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that moves IO/EXT interrupt handlers into the .irqentry.text section for the s390 architecture as soon as it becomes available. This patch corrects the stack depot filtering behavior and prevents stack depot exhaustion warnings. 2. For organizations using custom or long-term support kernels, backport the fix to ensure consistent behavior in production environments. 3. Monitor kernel logs for stack depot warnings or related messages indicating stack trace exhaustion, especially on systems with PREEMPT and KASAN enabled. 4. Review and update kernel debugging and tracing configurations to ensure compatibility with the patched kernel behavior. 5. Coordinate with hardware and Linux distribution vendors to confirm timely patch availability and deployment plans for s390 systems. 6. Maintain robust incident response and monitoring processes to detect any anomalies in kernel tracing or system behavior that could be related to this issue. 7. Document and communicate the patching plan to relevant operational teams managing mainframe Linux deployments to minimize downtime and operational impact during updates.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy
CVE-2024-57838: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies.
AI-Powered Analysis
Technical Analysis
CVE-2024-57838 addresses a vulnerability in the Linux kernel specifically related to the s390 architecture's handling of interrupt request (IRQ) entries and stack trace filtering. The Linux kernel uses a stack depot mechanism to store stack traces efficiently by filtering out redundant or irrelevant stack traces, particularly those occurring within interrupt contexts. This filtering relies on identifying functions within the .irqentry.text and .softirqentry.text sections to mark the boundaries of IRQ contexts. While the common code places __do_softirq() into the .softirqentry.text section, the .irqentry.text section is architecture-specific. On the s390 architecture, this section was empty, preventing proper filtering and de-duplication of stack traces originating from IRQ contexts. This deficiency leads to an excessive accumulation of stack traces, eventually exhausting the stack depot's capacity and triggering warnings such as "Stack depot reached limit capacity" and kernel warnings under configurations with PREEMPT and KASAN enabled. The fix involves moving IO/EXT interrupt handlers from the .kprobes.text section into the .irqentry.text section and updating the kprobes blacklist accordingly. This change applies only to asynchronous interrupts, preserving synchronous program checks and rare machine checks contexts. Additionally, the IRQ entries filtering logic is optionally used in the ftrace function graph, which benefits from the improved filtering. This vulnerability is primarily a kernel internal issue affecting debugging and tracing infrastructure rather than a direct security exploit vector. No known exploits are reported in the wild, and the vulnerability does not appear to allow privilege escalation, code execution, or denial of service directly. However, the improper filtering can cause resource exhaustion warnings and potentially impact kernel debugging and monitoring reliability on affected s390 systems.
Potential Impact
For European organizations, the impact of CVE-2024-57838 is largely limited to environments running the Linux kernel on s390 architecture hardware, which is IBM's mainframe platform. Such systems are typically used in large enterprises, financial institutions, government agencies, and critical infrastructure operators that require high reliability and robust mainframe capabilities. The vulnerability does not directly compromise system confidentiality, integrity, or availability but can degrade kernel debugging and tracing capabilities by causing stack depot exhaustion warnings. This may hinder incident response, forensic analysis, and kernel debugging efforts, potentially delaying detection and resolution of other issues. Organizations relying on PREEMPT and KASAN enabled kernels for enhanced debugging and security hardening could experience increased noise or false alarms. While the vulnerability does not present a direct attack vector, the reduced reliability of kernel tracing could indirectly affect security monitoring and operational stability in critical mainframe environments. The limited scope to s390 architecture means the majority of Linux deployments on x86_64 or ARM architectures in Europe are unaffected. However, organizations with mainframe deployments should prioritize patching to maintain kernel observability and system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that moves IO/EXT interrupt handlers into the .irqentry.text section for the s390 architecture as soon as it becomes available. This patch corrects the stack depot filtering behavior and prevents stack depot exhaustion warnings. 2. For organizations using custom or long-term support kernels, backport the fix to ensure consistent behavior in production environments. 3. Monitor kernel logs for stack depot warnings or related messages indicating stack trace exhaustion, especially on systems with PREEMPT and KASAN enabled. 4. Review and update kernel debugging and tracing configurations to ensure compatibility with the patched kernel behavior. 5. Coordinate with hardware and Linux distribution vendors to confirm timely patch availability and deployment plans for s390 systems. 6. Maintain robust incident response and monitoring processes to detect any anomalies in kernel tracing or system behavior that could be related to this issue. 7. Document and communicate the patching plan to relevant operational teams managing mainframe Linux deployments to minimize downtime and operational impact during updates.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T12:32:49.349Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde8bb
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:24:48 AM
Last updated: 8/14/2025, 3:07:11 PM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.