mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 09:11:28 +00:00
183 lines
12 KiB
JSON
183 lines
12 KiB
JSON
{
|
|
"id": "CVE-2024-50154",
|
|
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"published": "2024-11-07T10:15:06.987",
|
|
"lastModified": "2024-12-11T15:15:13.367",
|
|
"vulnStatus": "Modified",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n \"\"\"\n We are seeing a use-after-free from a bpf prog attached to\n trace_tcp_retransmit_synack. The program passes the req->sk to the\n bpf_sk_storage_get_tracing kernel helper which does check for null\n before using it.\n \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer->entry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req->sk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n but del_timer_sync() is missed\n\n 2. reqsk timer is executed and scheduled again\n\n 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n reqsk timer still has another one, and inet_csk_accept() does not\n clear req->sk for non-TFO sockets\n\n 4. sk is close()d\n\n 5. reqsk timer is executed again, and BPF touches req->sk\n\nLet's not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb"
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp/dccp: No use timer_pending() en reqsk_queue_unlink(). Martin KaFai Lau inform\u00f3 de un use-after-free [0] en reqsk_timer_handler(). \"\"\" Estamos viendo un use-after-free de un programa bpf adjunto a trace_tcp_retransmit_synack. El programa pasa el req->sk al ayudante del kernel bpf_sk_storage_get_tracing que comprueba si hay valores nulos antes de usarlo. \"\"\" El commit 83fccfc3940c (\"inet: soluciona un posible bloqueo en reqsk_queue_unlink()\") agreg\u00f3 timer_pending() en reqsk_queue_unlink() para no llamar a del_timer_sync() desde reqsk_timer_handler(), pero introdujo una peque\u00f1a ventana de ejecuci\u00f3n. Antes de que se llame al temporizador, expire_timers() llama a detach_timer(timer, true) para borrar timer->entry.pprev y lo marca como no pendiente. Si reqsk_queue_unlink() comprueba timer_pending() justo despu\u00e9s de que expire_timers() llame a detach_timer(), TCP no detectar\u00e1 del_timer_sync(); el temporizador reqsk seguir\u00e1 funcionando y enviar\u00e1 varios SYN+ACK hasta que expire. El UAF informado podr\u00eda ocurrir si se cierra req->sk antes de la expiraci\u00f3n del temporizador, que es 63 s por defecto. El escenario ser\u00eda 1. inet_csk_complete_hashdance() llama a inet_csk_reqsk_queue_drop(), pero se omite del_timer_sync() 2. se ejecuta el temporizador reqsk y se programa nuevamente 3. se acepta req->sk y reqsk_put() decrementa rsk_refcnt, pero el temporizador reqsk a\u00fan tiene otro, e inet_csk_accept() no borra req->sk para sockets que no sean TFO 4. se cierra sk 5. se ejecuta nuevamente el temporizador reqsk y BPF toca req->sk No usemos timer_pending() pasando el contexto del llamador a __inet_csk_reqsk_queue_drop(). Tenga en cuenta que el temporizador reqsk est\u00e1 fijado, por lo que el problema no ocurre en la mayor\u00eda de los casos de uso. [1] [0] ERROR: KFENCE: lectura de use-after-free en bpf_sk_storage_get_tracing+0x2e/0x1b0 Lectura de use-after-free en 0x00000000a891fb3a (en kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, tama\u00f1o=2376, cach\u00e9=TCPv6 asignado por la tarea 0 en la CPU 9 en 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb liberado por la tarea 0 en la CPU 9 a las 260507.927527 s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpu_idle_entrada_estado+0xfb/0x273 cpu_inicio_entrada+0x15e/0x260 inicio_secundario+0x8a/0x90 inicio_secundario_64_sin_verificaci\u00f3n+0xfa/0xfb"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"baseScore": 7.0,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"attackComplexity": "HIGH",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.0,
|
|
"impactScore": 5.9
|
|
},
|
|
{
|
|
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"baseScore": 7.8,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.8,
|
|
"impactScore": 5.9
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-416"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-416"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "4.1.11",
|
|
"versionEndExcluding": "4.2",
|
|
"matchCriteriaId": "3CD6E092-00BA-470A-BD6E-9FF38E84DB99"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "4.2",
|
|
"versionEndExcluding": "5.15.170",
|
|
"matchCriteriaId": "D37DEB92-5329-47EC-94B1-051761C1F534"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "5.16",
|
|
"versionEndExcluding": "6.1.115",
|
|
"matchCriteriaId": "C08A77A6-E42E-4EFD-B5A1-2BF6CBBB42AE"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "6.2",
|
|
"versionEndExcluding": "6.6.59",
|
|
"matchCriteriaId": "5D15CA59-D15C-4ACD-8B03-A072DEAD2081"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "6.7",
|
|
"versionEndExcluding": "6.11.6",
|
|
"matchCriteriaId": "E4486B12-007B-4794-9857-F07145637AA1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
}
|
|
]
|
|
} |