CVE-2024-42136: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42136 affects the Linux kernel's CDROM driver, specifically related to a signed integer overflow vulnerability in the lastmediachange check functionality. The vulnerability was discovered when running syzkaller with the newly reintroduced signed integer wrap sanitizer, which detected an unintentional overflow condition in drivers/cdrom/cdrom.c (Kernel Patch).

The vulnerability occurs in the CDROM driver's media change detection logic where a signed integer overflow could happen during arithmetic operations. The specific issue was identified in the cdromioctltimedmediachange function where the expression tmp_info.last_media_change - cdi->last_media_change_ms could result in an integer overflow. The CVSS v3.1 score is 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability affects Linux kernel versions up to (excluding) 6.1.98, versions from 6.2 up to (excluding) 6.6.39, and versions from 6.7 up to (excluding) 6.9.9. When exploited, it could lead to a system crash or potential privilege escalation due to the integer overflow condition in the CDROM subsystem (NVD).

The vulnerability has been patched by rearranging the lastmediachange check to avoid the arithmetic operation that could cause the overflow. The fix changes the condition from tmp_info.last_media_change - cdi->last_media_change_ms < 0 to cdi->last_media_change_ms > tmp_info.last_media_change, eliminating the potential for integer overflow (Kernel Patch).