"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n pr_err(\"Unsupported page size %lu MB\\n\",ps/SZ_1M);\nreturn-EINVAL;\n}\nreturn0;\n...\n...\n\nThisisaproblembecauselateron,wewilldereferencectxt->hstatein\nhugetlbfs_fill_super()\n\n...\n...\nsb->s_blocksize=huge_page_size(ctx->hstate);\n...\n...\n\nCausingbelowOops.\n\nFixthisbyreplacingcxt->hstatevalueonlywhenthenpagesizeisknown\ntobevalid.\n\nkernel:hugetlbfs:Unsupportedpagesize0MB\nkernel:BUG:kernelNULLpointerdereference,address:0000000000000028\nkernel:#PF:supervisorreadaccessinkernelmode\nkernel:#PF:error_code(0x0000)-not-presentpage\nkernel:PGD800000010f66c067P4D800000010f66c067PUD1b22f8067PMD0\nkernel:Oops:0000[#1]PREEMPTSMPPTI\nkernel:CPU:4PID:5659Comm:syscallTainted:GE6.8.0-rc2-default+#225a47c3fef76212addcc6eb71344aabc35190ae8f\nkernel:Hardwarename:IntelCorp.GROVEPORT/GROVEPORT,BIOSGVPRCRB1.86B.0016.D04.170503040205/03/2017\nkernel:RIP:0010:hugetlbfs_fill_super+0xb4/0x1a0\nkernel:Code:488b3be83ec6edff4885c0488945200f84d600000048b8ffffffffffffff7f4c89e74989442420488b03<8b>4828b80010000048d3e04989442418488b038b4028\nkernel:RSP:0018:ffffbe9960fcbd48EFLAGS:00010246\nkernel:RAX:0000000000000000RBX:ffff9af5272ae780RCX:0000000000372004\nkernel:RDX:ffffffffffffffffRSI:ffffffffffffffffRDI:ffff9af555e9b000\nkernel:RBP:ffff9af52ee66b00R08:0000000000000040R09:0000000000370004\nkernel:R10:ffffbe9960fcbd48R11:0000000000000040R12:ffff9af555e9b000\nkernel:R13:ffffffffa66b86c0R14:ffff9af507d2f400R15:ffff9af507d2f400\nkernel:FS:00007ffbc0ba4740(0000)GS:ffff9b0bd7000000(0000)knlGS:0000000000000000\nkernel:CS:0010DS:0000ES:0000CR0:0000000080050033\nkernel:CR2:0000000000000028CR3:00000001b1ee0000CR4:00000000001506f0\nkernel:CallTrace:\nkernel:<TASK>\nkernel:?__die_body+0x1a/0x60\nkernel:?page_fault_oops+0x16f/0x4a0\nkernel:?search_bpf_extables+0x65/0x70\nkernel:?fixup_exception+0x22/0x310\nkernel:?exc_page_fault+0x69/0x150\nkernel:?asm_exc_page_fault+0x22/0x30\nkernel:?__pfx_hugetlbfs_fill_super+0x10/0x10\nkernel:?hugetlbfs_fill_super+0xb4/0x1a0\nkernel:?hugetlbfs_fill_super+0x28/0x1a0\nkernel:?__pfx_hugetlbfs_fill_super+0x10/0x10\nkernel:vfs_get_super+0x40/0xa0\nkernel:?__pfx_bpf_lsm_capable+0x10/0x10\nkernel:vfs_get_tree+0x25/0xd0\nkernel:vfs_cmd_create+0x64/0xe0\nkernel:__x64_sys_fsconfig+0x395/0x410\nkernel:do_syscall_64+0x80/0x160\nkernel:?syscall_exit_to_user_mode+0x82/0x240\nkernel:?do_syscall_64+0x8d/0x160\nkernel:?syscall_exit_to_user_mode+0x82/0x240\nkernel:?do_syscall_64+0x8d/0x160\nkernel:?exc_page_fault+0x69/0x150\nkernel:entry_SYSCALL_64_after_hwframe+0x6e/0x76\nkernel:RIP:0033:0x7ffbc0cb87c9\nkernel:Code:00909090909090909090909090909066904889f84889f74889d64889ca4d89c24d89c84c8b4c24080f05<48>3d01f0ffff7301c3488b0d97960d00f7d864890148\nkernel:RSP:002b:00007ffc29d2f388EFLAGS:00000206ORIG_RAX:00000000000001af\nkernel:RAX:ffffff
"value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs,hugetlb: corrige la desreferencia del puntero NULL en hugetlbs_fill_super Al configurar un SYSTEM de archivos de Hugetlb a trav\u00e9s de la llamada al SYSTEM fsconfig(), existe una posible desreferencia de NULL en hugetlbfs_fill_super() causada por la asignaci\u00f3n de NULL a ctx. ->hstate en hugetlbfs_parse_param() cuando el tama\u00f1o de p\u00e1gina solicitado no es v\u00e1lido. Por ejemplo: siguiendo los siguientes pasos: fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC); fsconfig(fd, FSCONFIG_SET_STRING, \"tama\u00f1o de p\u00e1gina\", \"1024\", 0); fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); Dado que el \"tama\u00f1o de p\u00e1gina\" solicitado no es v\u00e1lido, ctxt->hstate ser\u00e1 reemplazado por NULL, perdiendo su valor anterior, e imprimiremos un error: ... ... case Opt_pagesize: ps = memparse(param->string, &descansar); ctx->hestado = h; if (!ctx->hstate) { pr_err(\"Tama\u00f1o de p\u00e1gina no admitido %lu MB\\n\",ps/SZ_1M);devolver-EINVAL;}devolver0;......Estoesunproblemaporquem\u00e1sadelanteeliminaremoslareferenciaactxt->hstateenhugetlbfs_fill_super()......sb->s_blocksize=huge_page_size(ctx->hstate);......CausandodebajoUps.Solucioneesteproblemareemplazandoelvalorcxt->hstatesolocuandosesepaqueeltama\u00f1odep\u00e1ginaesv\u00e1lido.kernel:hugetlbfs:Tama\u00f1odep\u00e1ginanoadmitido0MBkernel:ERROR:desreferenciadelpunteroNULLdelkernel,direcci\u00f3n:0000000000000028kernel:#PF:accesodelecturadelsupervisorenmodokernelkernel:#PF:c\u00f3digo_error(0x0000)-p\u00e1ginanopresentekernel:PGD800000010f66c067P4D800000010f66c067PUD1b22f8067PMD0kernel:Ups:0000[#1]PREEMPTSMPPTIkernel:CPU:4PID:5659Comm:syscallContaminado:GE6.8.0-rc2-default+#225a47c3fef76212addcc6eb71344Kernelaabc35190ae8f:Nombredelhardware:IntelCorp.GROVEPORT/GROVEPORT,BIOSGVPRCRB1.86B.0016.D04.170503040203/05/2017kernel:RIP:0010:hugetlbfs_fill_super+0xb4/0x1a0kernel:C\u00f3digo:488b3be83ec6edff4885c0488945200f84d600000048b8ffffffffffffff7f4c89e74989442420488b03<8b>4828b80010000048d3e04989442418488b038b4028kernel:RSP:0018:ffffbe9960fcbd48EFLAGS:00010246kernel:RAX:0000000000000000RBX:ffff9af5272ae780RCX:0000000000372004kernel:RDX:ffffffffffffffffRSI:ffffffffffffffffRDI:ffff9af555e9b000kernel:RBP:ffff9af52ee66b00R08:0000000000000040R09:0000000000370004kernel:R10:ffffbe9960fcbd48R11:0000000000000040R12:ffff9af555e9b000kernel:R13:fffffffa66b86c0R14:ffff9af507d2f400R15:ffff9af507d2f400kernel:FS:00007ffbc0ba4740(0000)GS:ffff9b0bd7000000(0000)knlGS:0000000000000000kernel:CS:0010DS:0000ES:0000CR0:0000000080050033kernel:CR2:0000000000000028CR3:00000001b1ee0000CR4:00000000001506f0kernel:Seguimientodellamadas:kernel:kernel:?__die_body+0x1a/0x60n\u00facleo:?page_fault_oops+0x16f/0x4a0n\u00facleo:?search_bpf_extables+0x65/0x70n\u00facleo:?fixup_exception+0x22/0x310kernel:?exc_page_fault+0x69/0x150n\u00facleo:?asm_exc_page_fault+0x22/0x30n\u00facleo:?__pfx_hugetlbfs_fill_super+0x10/0x10n\u00facleo:?n\u00facleoenormetlbfs_fill_super+0xb4/0x1a0:?enormetlbfs_fill_super+0x28/0x1a0kernel:?__pfx_hugetlbfs_fill_super+0x10/0x10kernel:vfs_get_super+0x40/0xa0kernel:?__pfx_bpf_lsm_capable+0x10/0x10kernel:vfs_get_tree+0x25/0xd0kernel:vfs_cmd_create+0x64/0xe0kernel:__x64_sys_fsconfig+0x395/0x410kernel:do_syscall_64+0x80/0x160kernel:?syscall_exit_to_user_mode+0x82/0x240kernel:?do_syscall_64+0x8d/0x160n\u00facleo:?syscall_exit_to_user_mode+0x82/0x240kernel:?do_syscall_64+0x8d/0x160n\u00facleo:?exc_page_fault+0x69/0x150kernel:Entry_SYSCALL_64_after_hwframe+0x6e/0x76kernel:RIP:0033:0x7ffbc0cb87c9kernel:C\u00f3digo:00909090909090909090909090909066904889f84889f74889d64889ca4d89c24d89c84c8b4c24080f05<48>
