admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-09-17 18:45:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2023/CVE-2023-525xx/CVE-2023-52562.json
cad-safe-bot ba1040ca98 Auto-Update: 2025-01-16T19:00:25.298043+00:00
2025-01-16 19:03:51 +00:00

139 lines
8.4 KiB
JSON
Raw Blame History

{
"id": "CVE-2023-52562",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-03-02T22:15:48.843",
"lastModified": "2025-01-16T17:02:14.957",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()\n\nAfter the commit in Fixes:, if a module that created a slab cache does not\nrelease all of its allocated objects before destroying the cache (at rmmod\ntime), we might end up releasing the kmem_cache object without removing it\nfrom the slab_caches list thus corrupting the list as kmem_cache_destroy()\nignores the return value from shutdown_cache(), which in turn never removes\nthe kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails\nto release all of the cache's slabs.\n\nThis is easily observable on a kernel built with CONFIG_DEBUG_LIST=y\nas after that ill release the system will immediately trip on list_add,\nor list_del, assertions similar to the one shown below as soon as another\nkmem_cache gets created, or destroyed:\n\n [ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n [ 1041.219165] ------------[ cut here ]------------\n [ 1041.221517] kernel BUG at lib/list_debug.c:62!\n [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\n\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n\n [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\n\nThis patch fixes this issue by properly checking shutdown_cache()'s\nreturn value before taking the kmem_cache_release() branch."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/slab_common: corrige la corrupci\u00f3n de la lista slab_caches despu\u00e9s de kmem_cache_destroy() Despu\u00e9s de el commit en Correcciones:, si un m\u00f3dulo que cre\u00f3 un cach\u00e9 de losa no libera todos sus objetos asignados antes de destruir el cache (en el momento rmmod), podr\u00edamos terminar liberando el objeto kmem_cache sin eliminarlo de la lista slab_caches, corrompiendo as\u00ed la lista ya que kmem_cache_destroy() ignora el valor de retorno de Shutdown_cache(), que a su vez nunca elimina el objeto kmem_cache de slabs_list en caso __kmem_cache_shutdown() no puede liberar todas las losas del cach\u00e9. Esto es f\u00e1cilmente observable en un kernel construido con CONFIG_DEBUG_LIST=y ya que despu\u00e9s de ese lanzamiento, el sistema activar\u00e1 inmediatamente las aserciones list_add o list_del, similares a la que se muestra a continuaci\u00f3n tan pronto como se cree o destruya otro kmem_cache: [ 1041.213632] list_del corrupci\u00f3n. siguiente->anterior deber\u00eda ser ffff89f596fb5768, pero era 52f1e5016aeee75d. (siguiente=ffff89f595a1b268) [1041.219165] ------------[ cortar aqu\u00ed ]------------ [ 1041.221517] \u00a1ERROR del kernel en lib/list_debug.c:62! [ 1041.223452] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP PTI [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: cargado Contaminado: GBW OE 6.5.0 #15 [ 1041.228244] Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 24/05/2023 [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0 Otra forma r\u00e1pida de desencadenar este problema, en un kernel con CONFIG_SLUB=y, es configurar slub_debug para envenenar los objetos liberados y luego simplemente ejecutar cat /proc/slabinfo despu\u00e9s de eliminar el m\u00f3dulo que filtra los objetos slab, en cuyo caso el kernel entrar\u00e1 en p\u00e1nico: [50.954843] falla de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xa56b6b6b6b6b6b8b: 0000 [#1 ] PREEMPT SMP PTI [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: cargado Contaminado: GBW OE 6.5.0 #15 [ 50.966808] Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS edk2-20230524- 3.fc37 24/05/2023 [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0 Este parche soluciona este problema verificando correctamente el valor de retorno de Shutdown_cache() antes de tomar la rama kmem_cache_release()."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0",
"versionEndExcluding": "6.1.56",
"matchCriteriaId": "88CD6F0B-B968-414C-86CA-2E442AEA0EA8"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.5.6",
"matchCriteriaId": "870FC772-173A-4A0F-B1AF-7976AD6057D3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0DC421F1-3D5A-4BEF-BF76-4E468985D20B"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink