CVE-2024-57838
Published: 11 January 2025
Summary
CVE-2024-57838 is a high-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of kernel patches that fix s390 IRQ entry section placement and stack depot filtering.
Protects against denial-of-service from stack depot exhaustion by implementing controls to identify, limit, and monitor resource depletion due to excessive asynchronous interrupts.
Ensures availability of kernel resources like stack depot by enforcing allocation limits and monitoring to prevent unauthorized depletion from interrupt-triggered stack trace proliferation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel vulnerability in IRQ/stack handling enables resource exhaustion DoS (and potential info disclosure) from low-privileged context via interrupt flooding, directly mapping to system exploitation for endpoint DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: s390/entry: Mark IRQ entries to fix stack depot warnings The stack depot filters out everything outside of the top interrupt context as an uninteresting or irrelevant part of the stack…
more
traces. This helps with stack trace de-duplication, avoiding an explosion of saved stack traces that share the same IRQ context code path but originate from different randomly interrupted points, eventually exhausting the stack depot. Filtering uses in_irqentry_text() to identify functions within the .irqentry.text and .softirqentry.text sections, which then become the last stack trace entries being saved. While __do_softirq() is placed into the .softirqentry.text section by common code, populating .irqentry.text is architecture-specific. Currently, the .irqentry.text section on s390 is empty, which prevents stack depot filtering and de-duplication and could result in warnings like: Stack depot reached limit capacity WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 with PREEMPT and KASAN enabled. Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into the .irqentry.text section and updating the kprobes blacklist to include the .irqentry.text section. This is done only for asynchronous interrupts and explicitly not for program checks, which are synchronous and where the context beyond the program check is important to preserve. Despite machine checks being somewhat in between, they are extremely rare, and preserving context when possible is also of value. SVCs and Restart Interrupts are not relevant, one being always at the boundary to user space and the other being a one-time thing. IRQ entries filtering is also optionally used in ftrace function graph, where the same logic applies.
Deeper analysisAI
CVE-2024-57838 is a vulnerability in the Linux kernel's s390 architecture entry code, specifically related to interrupt request (IRQ) handling and stack trace management in the stack depot. The issue arises because the .irqentry.text section is empty on s390, preventing the stack depot from filtering out IRQ context code paths using in_irqentry_text(). This leads to ineffective stack trace de-duplication, an explosion of saved stack traces from various interrupt points, and eventual exhaustion of the stack depot's capacity, triggering warnings such as "Stack depot reached limit capacity" and kernel warnings in depot_alloc_stack(), particularly when PREEMPT and KASAN are enabled.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability to achieve high confidentiality impact (C:H) and high availability impact (A:H) with no integrity impact (I:N), as indicated by the CVSS 3.1 score of 7.1. Exploitation involves triggering numerous asynchronous interrupts (IO/EXT), which overwhelm the stack depot due to poor filtering, potentially causing denial-of-service through resource exhaustion and kernel warnings or instability.
Kernel patches referenced in the advisories resolve the issue by moving IO/EXT interrupt handlers from .kprobes.text to the .irqentry.text section for asynchronous interrupts only, while updating the kprobes blacklist to include .irqentry.text. This enables proper filtering without affecting synchronous program checks or rare machine checks. Specific commits include 1af22528fee8, 45c9f2b856a0, 473ffae30301, and 5bb7a2c3afcf, with Debian LTS announcing backports for affected stable kernels. Security practitioners should update to patched kernels to mitigate stack depot exhaustion.
Details
- CWE(s)