admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 09:11:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-410xx/CVE-2024-41057.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

145 lines
10 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-41057",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.773",
"lastModified": "2024-11-21T09:32:09.390",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects()."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() Recibimos el siguiente problema en nuestra prueba de estr\u00e9s de inyecci\u00f3n de fallos: ============ ==================================================== ==== ERROR: KASAN: slab-use-after-free en cachefiles_withdraw_cookie+0x4d9/0x600 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888118efc000 por tarea kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 No contaminado 6.8.0-dirty #566 Seguimiento de llamadas: kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 Process_one_work+0x7fa/0x1800 [...] Asignado por la tarea 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 Process_one_work+0x7fa/0x1800 [...] Liberado por la tarea 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x92 0 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================ ==================================== El siguiente es el proceso que desencadena el problema: p1 | p2 ------------------------------------------------- ----------- fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&amp;fscache_cache-&gt;object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&amp;object-&gt;ref, 1); objeto-&gt;volumen = volumen fscache_count_object(vcookie-&gt;cache); atomic_inc(&amp;fscache_cache-&gt;object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = objeto-&gt;volumen-&gt;cache; // archivos_cach\u00e9_volumen UAF !!! Despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, primero espere a que se completen todas las b\u00fasquedas de cookies y luego espere a que fscache_cache-&gt;object_count == 0 para evitar que la cookie salga despu\u00e9s de que se haya liberado el volumen y desencadene el problema anterior. Por lo tanto, llame a fscache_withdraw_volume() antes de llamar a cachefiles_withdraw_objects(). De esta manera, despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, solo ocurrir\u00e1n los dos casos siguientes: 1) fscache_begin_lookup falla en fscache_begin_volume_access(). 2) fscache_withdraw_volume() garantizar\u00e1 que fscache_count_object() se haya ejecutado antes de llamar a fscache_wait_for_objects()."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-416"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17",
"versionEndExcluding": "6.1.101",
"matchCriteriaId": "DB356B3F-4040-49B4-8BB9-E2643A2E9B13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.42",
"matchCriteriaId": "972274A2-D688-4C37-BE42-689B58B4C225"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.11",
"matchCriteriaId": "01E300B3-8B39-4A2D-8B03-4631433D3915"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink