admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-29 01:31:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2022/CVE-2022-497xx/CVE-2022-49721.json
cad-safe-bot 6a206bf025 Auto-Update: 2025-03-09T03:00:19.873769+00:00
2025-03-09 03:03:50 +00:00

37 lines
9.1 KiB
JSON
Raw Blame History

{
"id": "CVE-2022-49721",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-02-26T07:01:47.793",
"lastModified": "2025-02-26T07:01:47.793",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: consistently handle PLTs.\n\nSometimes it is necessary to use a PLT entry to call an ftrace\ntrampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),\nwith each having *almost* identical logic, but this is not handled by\nftrace_modify_call() since its introduction in commit:\n\n 3b23e4991fb66f6d (\"arm64: implement ftrace with regs\")\n\nDue to this, if we ever were to call ftrace_modify_call() for a callsite\nwhich requires a PLT entry for a trampoline, then either:\n\na) If the old addr requires a trampoline, ftrace_modify_call() will use\n an out-of-range address to generate the 'old' branch instruction.\n This will result in warnings from aarch64_insn_gen_branch_imm() and\n ftrace_modify_code(), and no instructions will be modified. As\n ftrace_modify_call() will return an error, this will result in\n subsequent internal ftrace errors.\n\nb) If the old addr does not require a trampoline, but the new addr does,\n ftrace_modify_call() will use an out-of-range address to generate the\n 'new' branch instruction. This will result in warnings from\n aarch64_insn_gen_branch_imm(), and ftrace_modify_code() will replace\n the 'old' branch with a BRK. This will result in a kernel panic when\n this BRK is later executed.\n\nPractically speaking, case (a) is vastly more likely than case (b), and\ntypically this will result in internal ftrace errors that don't\nnecessarily affect the rest of the system. This can be demonstrated with\nan out-of-tree test module which triggers ftrace_modify_call(), e.g.\n\n| # insmod test_ftrace.ko\n| test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024\n| branch_imm_common: offset out of range\n| branch_imm_common: offset out of range\n| ------------[ ftrace bug ]------------\n| ftrace failed to modify\n| [<ffffb37493992024>] test_function+0x8/0x38 [test_ftrace]\n| actual: 1d:00:00:94\n| Updating ftrace call site to call a different ftrace function\n| ftrace record flags: e0000002\n| (2) R\n| expected tramp: ffffb374ae42ed54\n| ------------[ cut here ]------------\n| WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0\n| Modules linked in: test_ftrace(+)\n| CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : ftrace_bug+0x280/0x2b0\n| lr : ftrace_bug+0x280/0x2b0\n| sp : ffff80000839ba00\n| x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0\n| x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000\n| x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8\n| x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff\n| x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4\n| x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666\n| x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8\n| x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167\n| x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000\n| x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022\n| Call trace:\n| ftrace_bug+0x280/0x2b0\n| ftrace_replace_code+0x98/0xa0\n| ftrace_modify_all_code+0xe0/0x144\n| arch_ftrace_update_code+0x14/0x20\n| ftrace_startup+0xf8/0x1b0\n| register_ftrace_function+0x38/0x90\n| test_ftrace_init+0xd0/0x1000 [test_ftrace]\n| do_one_initcall+0x50/0x2b0\n| do_init_module+0x50/0x1f0\n| load_module+0x17c8/0x1d64\n| __do_sys_finit_module+0xa8/0x100\n| __arm64_sys_finit_module+0x2c/0x3c\n| invoke_syscall+0x50/0x120\n| el0_svc_common.constprop.0+0xdc/0x100\n| do_el0_svc+0x3c/0xd0\n| el0_svc+0x34/0xb0\n| el0t_64_sync_handler+0xbc/0x140\n| el0t_64_sync+0x18c/0x190\n| ---[ end trace 0000000000000000 ]---\n\nWe can solve this by consistently determining whether to use a PLT entry\nfor an address.\n\nNote that since (the earlier) commit:\n\n f1a54ae9\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: ftrace: gestiona PLT de manera consistente. A veces es necesario usar una entrada PLT para llamar a un trampol\u00edn ftrace. Esto lo gestionan ftrace_make_call() y ftrace_make_nop(), y cada uno tiene una l\u00f3gica *casi* id\u00e9ntica, pero esto no lo maneja ftrace_modify_call() desde su introducci\u00f3n en el commit: 3b23e4991fb66f6d (\"arm64: implement ftrace with regs\") Debido a esto, si alguna vez llam\u00e1ramos a ftrace_modify_call() para un sitio de llamada que requiere una entrada PLT para un trampol\u00edn, entonces: a) Si la direcci\u00f3n anterior requiere un trampol\u00edn, ftrace_modify_call() usar\u00e1 una direcci\u00f3n fuera de rango para generar la instrucci\u00f3n de rama \"anterior\". Esto dar\u00e1 como resultado advertencias de aarch64_insn_gen_branch_imm() y ftrace_modify_code(), y no se modificar\u00e1 ninguna instrucci\u00f3n. Como ftrace_modify_call() devolver\u00e1 un error, esto dar\u00e1 como resultado errores ftrace internos posteriores. b) Si la direcci\u00f3n anterior no requiere un trampol\u00edn, pero la nueva s\u00ed, ftrace_modify_call() usar\u00e1 una direcci\u00f3n fuera de rango para generar la instrucci\u00f3n de rama 'nueva'. Esto dar\u00e1 como resultado advertencias de aarch64_insn_gen_branch_imm(), y ftrace_modify_code() reemplazar\u00e1 la rama 'antigua' con un BRK. Esto dar\u00e1 como resultado un p\u00e1nico del kernel cuando este BRK se ejecute m\u00e1s tarde. En t\u00e9rminos pr\u00e1cticos, el caso (a) es mucho m\u00e1s probable que el caso (b), y normalmente esto dar\u00e1 como resultado errores ftrace internos que no necesariamente afectan al resto del sistema. Esto se puede demostrar con un m\u00f3dulo de prueba fuera del \u00e1rbol que activa ftrace_modify_call(), e.g. | # insmod test_ftrace.ko | test_ftrace: Function test_function raw=0xffffb3749399201c, callsite=0xffffb37493992024 | branch_imm_common: offset out of range | branch_imm_common: offset out of range | ------------[ ftrace bug ]------------ | ftrace failed to modify | [] test_function+0x8/0x38 [test_ftrace] | actual: 1d:00:00:94 | Updating ftrace call site to call a different ftrace function | ftrace record flags: e0000002 | (2) R | expected tramp: ffffb374ae42ed54 | ------------[ cut here ]------------ | WARNING: CPU: 0 PID: 165 at kernel/trace/ftrace.c:2085 ftrace_bug+0x280/0x2b0 | Modules linked in: test_ftrace(+) | CPU: 0 PID: 165 Comm: insmod Not tainted 5.19.0-rc2-00002-g4d9ead8b45ce #13 | Hardware name: linux,dummy-virt (DT) | pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : ftrace_bug+0x280/0x2b0 | lr : ftrace_bug+0x280/0x2b0 | sp : ffff80000839ba00 | x29: ffff80000839ba00 x28: 0000000000000000 x27: ffff80000839bcf0 | x26: ffffb37493994180 x25: ffffb374b0991c28 x24: ffffb374b0d70000 | x23: 00000000ffffffea x22: ffffb374afcc33b0 x21: ffffb374b08f9cc8 | x20: ffff572b8462c000 x19: ffffb374b08f9000 x18: ffffffffffffffff | x17: 6c6c6163202c6331 x16: ffffb374ae5ad110 x15: ffffb374b0d51ee4 | x14: 0000000000000000 x13: 3435646532346561 x12: 3437336266666666 | x11: 203a706d61727420 x10: 6465746365707865 x9 : ffffb374ae5149e8 | x8 : 336266666666203a x7 : 706d617274206465 x6 : 00000000fffff167 | x5 : ffff572bffbc4a08 x4 : 00000000fffff167 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : ffff572b84461e00 x0 : 0000000000000022 | Call trace: | ftrace_bug+0x280/0x2b0 | ftrace_replace_code+0x98/0xa0 | ftrace_modify_all_code+0xe0/0x144 | arch_ftrace_update_code+0x14/0x20 | ftrace_startup+0xf8/0x1b0 | register_ftrace_function+0x38/0x90 | test_ftrace_init+0xd0/0x1000 [test_ftrace] | do_one_initcall+0x50/0x2b0 | do_init_module+0x50/0x1f0 | load_module+0x17c8/0x1d64 | __do_sys_finit_module+0xa8/0x100 | __arm64_sys_finit_module+0x2c/0x3c | invoke_syscall+0x50/0x120 | el0_svc_common.constprop.0+0xdc/0x100 | do_el0_svc+0x3c/0xd0 | el0_svc+0x34/0xb0 | el0t_64_sync_handler+0xbc/0x140 | el0t_64_sync+0x18c/0x190 | ---[ end trace 0000000000000000 ]--- Podemos resolver esto determinando de manera consistente si se debe usar una entrada PLT para una direcci\u00f3n. Tenga en cuenta que desde el commit (anterior): f1a54ae9 ---truncada---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6253579977e4c6f7818eeb05bf2bc65678a7187",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bc28fde90937a920f7714ec4408269cac744f796",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/db73aa9466338ec821ed2a0b01721fe4d06876b1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dcecc96ed16f73417de5550f384e348c9d56f279",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}
Reference in New Issue View Git Blame Copy Permalink