{"id":"CVE-2024-35902","summary":"net/rds: fix possible cp null dereference","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp-\u003ecp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n  - rds_get_mr()\n  - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n  (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs-\u003ers_transport-\u003eget_mr(\n\t\tsg, nents, rs, &mr-\u003er_key, cp ? cp-\u003ecp_conn : NULL,\n\t\targs-\u003evec.addr, args-\u003evec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n  where trans_private is assigned as per the previous point in this analysis.\n\n  The only implementation of get_mr that I could locate is rds_ib_get_mr()\n  which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n  rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n  Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n  this patch does seem to address a possible bug","modified":"2026-04-02T11:52:04.725771Z","published":"2024-05-19T08:34:55.692Z","related":["SUSE-SU-2024:3190-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3209-1","SUSE-SU-2024:3383-1","SUSE-SU-2024:3483-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35902.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35902.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35902"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"786854141057751bc08eb26f1b02e97c1631c8f4"},{"fixed":"d275de8ea7be3a453629fddae41d4156762e814c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"997efea2bf3a4adb96c306b9ad6a91442237bf5b"},{"fixed":"bcd46782e2ec3825d10c1552fcb674d491cc09f9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9dfc15a10dfd44f8ff7f27488651cb5be6af83c2"},{"fixed":"cfb786b03b03c5ff38882bee38525eb9987e4d14"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b562ebe21ed9adcf42242797dd6cb75beef12bf0"},{"fixed":"d49fac38479bfdaec52b3ea274d290c47a294029"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"998fd719e6d6468b930ac0c44552ea9ff8b07b80"},{"fixed":"cbaac2e5488ed54833897264a5ffb2a341a9f196"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2b505d05280739ce31d5708da840f42df827cb85"},{"fixed":"92309bed3c5fbe2ccd4c45056efd42edbd06162d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c055fc00c07be1f0df7375ab0036cebd1106ed38"},{"fixed":"6794090c742008c53b344b35b021d4a3093dc50a"},{"fixed":"62fc3357e079a07a22465b9b6ef71bb6ea75ee4b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"907761307469adecb02461a14120e9a1812a5fb1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35902.json"}}],"schema_version":"1.7.5"}