nvd-json-data-feeds/CVE-2023/CVE-2023-526xx/CVE-2023-52629.json

{
  "id": "CVE-2023-52629",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-03-29T10:15:09.327",
  "lastModified": "2024-11-21T08:40:14.360",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n      (cpu 0)                    |      (cpu 1)\nswitch_drv_remove()              |\n flush_work()                    |\n  ...                            |  switch_timer // timer\n                                 |   schedule_work(&psw->work)\n timer_shutdown_sync()           |\n ...                             |  switch_work_handler // worker\n kfree(psw) // free              |\n                                 |   psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sh: push-switch: reordenar las operaciones de limpieza para evitar el error de use after free. El c\u00f3digo original coloca Flush_work() antes de timer_shutdown_sync() en switch_drv_remove(). Aunque usamos Flush_work() para detener al trabajador, podr\u00eda reprogramarse en switch_timer(). Como resultado, puede ocurrir un error de use after free. Los detalles se muestran a continuaci\u00f3n: (cpu 0) | (procesador 1) switch_drv_remove() | descarga_trabajo() | ... | switch_timer // temporizador | Schedule_work(&psw->trabajo) timer_shutdown_sync() | ... | switch_work_handler // trabajador kfree(psw) // gratis | | psw->state = 0 // uso Este parche coloca timer_shutdown_sync() antes de Flush_work() para mitigar los errores. Como resultado, el trabajador y el temporizador se detendr\u00e1n de forma segura antes de las operaciones de desasignaci\u00f3n."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    }
  ]
}