2024-10-21 20:03:29 +00:00
|
|
|
{
|
|
|
|
|
"id": "CVE-2024-49934",
|
|
|
|
|
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
|
|
|
"published": "2024-10-21T18:15:15.273",
|
2024-12-14 23:03:44 +00:00
|
|
|
"lastModified": "2024-12-14T21:15:30.690",
|
2024-12-09 15:04:30 +00:00
|
|
|
"vulnStatus": "Modified",
|
2024-10-21 20:03:29 +00:00
|
|
|
"cveTags": [],
|
|
|
|
|
"descriptions": [
|
|
|
|
|
{
|
|
|
|
|
"lang": "en",
|
|
|
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name\n\nIt's observed that a crash occurs during hot-remove a memory device,\nin which user is accessing the hugetlb. See calltrace as following:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790\nModules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s\nmirror dm_region_hash dm_log dm_mod\nCPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:do_user_addr_fault+0x2a0/0x790\nCode: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41\nRSP: 0000:ffffc90000a575f0 EFLAGS: 00010046\nRAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658\nR13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000\nFS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? __warn+0x8d/0x190\n ? do_user_addr_fault+0x2a0/0x790\n ? report_bug+0x1c3/0x1d0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? do_user_addr_fault+0x2a0/0x790\n ? exc_page_fault+0x31/0x200\n exc_page_fault+0x68/0x200\n<...snip...>\nBUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n ---[ end trace 0000000000000000 ]---\n BUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:dentry_name+0x1f4/0x440\n<...snip...>\n? dentry_name+0x2fa/0x440\nvsnprintf+0x1f3/0x4f0\nvprintk_store+0x23a/0x540\nvprintk_emit+0x6d/0x330\n_printk+0x58/0x80\ndump_mapping+0x10b/0x1a0\n? __pfx_free_object_rcu+0x10/0x10\n__dump_page+0x26b/0x3e0\n? vprintk_emit+0xe0/0x330\n? _printk+0x58/0x80\n? dump_page+0x17/0x50\ndump_page+0x17/0x50\ndo_migrate_range+0x2f7/0x7f0\n? do_migrate_range+0x42/0x7f0\n? offline_pages+0x2f4/0x8c0\noffline_pages+0x60a/0x8c0\nmemory_subsys_offline+0x9f/0x1c0\n? lockdep_hardirqs_on+0x77/0x100\n? _raw_spin_unlock_irqrestore+0x38/0x60\ndevice_offline+0xe3/0x110\nstate_store+0x6e/0xc0\nkernfs_fop_write_iter+0x143/0x200\nvfs_write+0x39f/0x560\nksys_write+0x65/0xf0\ndo_syscall_64+0x62/0x130\n\nPreviously, some sanity check have been done in dump_mapping() before\nthe print facility parsing '%pd' though, it's still possible to run into\nan invalid dentry.d_name.name.\n\nSince dump_mapping() only needs to dump the filename only, retrieve it\nby itself in a safer way to prevent an unnecessary crash.\n\nNote that either retrieving the filename with '%pd' or\nstrncpy_from_kernel_nofault(), the filename could be unreliable."
|
2024-10-23 16:03:56 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"lang": "es",
|
|
|
|
|
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/inode: Evitar que dump_mapping() acceda a dentry.d_name.name no v\u00e1lido Se observa que se produce un bloqueo durante la eliminaci\u00f3n activa de un dispositivo de memoria, en el que el usuario est\u00e1 accediendo a hugetlb. Consulte el seguimiento de llamadas de la siguiente manera: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 1 PID: 14045 en arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 M\u00f3dulos vinculados en: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s mirror dm_region_hash dm_log dm_mod CPU: 1 PID: 14045 Comm: daxctl No contaminado 6.10.0-rc2-lizhijian+ #492 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 01/04/2014 RIP: 0010:do_user_addr_fault+0x2a0/0x790 C\u00f3digo: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41 RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046 RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 000000000000000 RDX: 00000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000000 R11: 0000000000000000 R12: ffffc90000a57658 R13: 0000000000001000 R14: ffff88800bc2e040 R15: 000000000000000 FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200 <...snip...> ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: 0000000000001000 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ fin del seguimiento 000000000000000 ]--- ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: 0000000000001000 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: cargado Tainted: GW 6.10.0-rc2-lizhijian+ #492 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440 <...snip...> ? dentry_name+0x2fa/0x440 vsnprintf+0x1f3/0x4f0 vprintk_store+0x23a/0x540 vprintk_emit+0x6d/0x330 _printk+0x58/0x80 dump_mapping+0x10b/0x1a0 ? __pfx_free_object_rcu+0x10/0x10 __dump_page+0x26b/0x3e0 ? vprintk_emit+0xe0/0x330 ? _printk+0x58/0x80 ? dump_page+0x17/0x50 dump_page+0x17/0x50 do_migrate_range+0x2f7/0x7f0 ? do_migrate_range+0x42/0x7f0 ? offline_pages+0x2f4/0x8c0 offline_pages+0x60a/0x8c0 memory_subsys_offline+0x9f/0x1c0 ? lockdep_hardirqs_on+0x77/0x100 ? _raw_spin_unlock_irqrestore+0x38/0x60 device_offline+0xe3/0x110 state_store+0x6e/0xc0 kernfs_fop_write_iter+0x143/0x200 vfs_write+0x39f/0x560 ksys_write+0x65/0xf0 do_syscall_64+0x62/0x130 Anteriormente, se han realizado algunas comprobaciones de cordura en dump_mapping() antes de que la funci\u00f3n de impresi\u00f3n analice '%pd', aunque a\u00fan es posible encontrarse con un dentry.d_name.name no v\u00e1lido. Dado que dump_mapping() solo necesita volcar el nombre del archivo, recup\u00e9relo por s\u00ed mismo de una ma
|
2024-10-21 20:03:29 +00:00
|
|
|
}
|
|
|
|
|
],
|
2024-11-13 17:03:52 +00:00
|
|
|
"metrics": {
|
|
|
|
|
"cvssMetricV31": [
|
|
|
|
|
{
|
|
|
|
|
"source": "nvd@nist.gov",
|
|
|
|
|
"type": "Primary",
|
|
|
|
|
"cvssData": {
|
|
|
|
|
"version": "3.1",
|
|
|
|
|
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
2024-12-08 03:06:42 +00:00
|
|
|
"baseScore": 4.6,
|
|
|
|
|
"baseSeverity": "MEDIUM",
|
2024-11-13 17:03:52 +00:00
|
|
|
"attackVector": "PHYSICAL",
|
|
|
|
|
"attackComplexity": "LOW",
|
|
|
|
|
"privilegesRequired": "NONE",
|
|
|
|
|
"userInteraction": "NONE",
|
|
|
|
|
"scope": "UNCHANGED",
|
|
|
|
|
"confidentialityImpact": "NONE",
|
|
|
|
|
"integrityImpact": "NONE",
|
2024-12-08 03:06:42 +00:00
|
|
|
"availabilityImpact": "HIGH"
|
2024-11-13 17:03:52 +00:00
|
|
|
},
|
|
|
|
|
"exploitabilityScore": 0.9,
|
|
|
|
|
"impactScore": 3.6
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"weaknesses": [
|
|
|
|
|
{
|
|
|
|
|
"source": "nvd@nist.gov",
|
|
|
|
|
"type": "Primary",
|
|
|
|
|
"description": [
|
|
|
|
|
{
|
|
|
|
|
"lang": "en",
|
|
|
|
|
"value": "NVD-CWE-noinfo"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"configurations": [
|
|
|
|
|
{
|
|
|
|
|
"nodes": [
|
|
|
|
|
{
|
|
|
|
|
"operator": "OR",
|
|
|
|
|
"negate": false,
|
|
|
|
|
"cpeMatch": [
|
|
|
|
|
{
|
|
|
|
|
"vulnerable": true,
|
|
|
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
|
|
|
"versionEndExcluding": "6.10.14",
|
|
|
|
|
"matchCriteriaId": "652638C5-5F25-4DF3-AD42-DD3252A97152"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"vulnerable": true,
|
|
|
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
|
|
|
"versionStartIncluding": "6.11",
|
|
|
|
|
"versionEndExcluding": "6.11.3",
|
|
|
|
|
"matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
],
|
2024-10-21 20:03:29 +00:00
|
|
|
"references": [
|
2024-12-14 23:03:44 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/1a4159138e718db6199f0abf376ad52f726dcc5c",
|
|
|
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
|
|
|
|
|
},
|
2024-10-21 20:03:29 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/7f7b850689ac06a62befe26e1fd1806799e7f152",
|
2024-11-13 17:03:52 +00:00
|
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
|
|
|
"tags": [
|
|
|
|
|
"Patch"
|
|
|
|
|
]
|
2024-10-21 20:03:29 +00:00
|
|
|
},
|
2024-12-09 15:04:30 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/e0f6ee75f50476607ca82fc7c3711c795ce09b52",
|
|
|
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
|
|
|
|
|
},
|
2024-10-21 20:03:29 +00:00
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/ef921bc72328b577cb45772ff7921cba4773b74a",
|
2024-11-13 17:03:52 +00:00
|
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
|
|
|
"tags": [
|
|
|
|
|
"Patch"
|
|
|
|
|
]
|
2024-10-21 20:03:29 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url": "https://git.kernel.org/stable/c/f92b8829c6e75632de4e2b9f70e7a7e6c5c2ba98",
|
2024-11-13 17:03:52 +00:00
|
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
|
|
|
"tags": [
|
|
|
|
|
"Patch"
|
|
|
|
|
]
|
2024-10-21 20:03:29 +00:00
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
