CVE-2023-52570
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2024-11-04 14:48
Severity ?
EPSS score ?
Summary
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-52570", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-04T15:46:34.702017Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:23:48.078Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T23:03:20.897Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/vfio/mdev/mdev_sysfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c01b2e0ee22e", "status": "affected", "version": "da44c340c4fe", "versionType": "git" }, { "lessThan": "52093779b183", "status": "affected", "version": "da44c340c4fe", "versionType": "git" }, { "lessThan": "c777b11d34e0", "status": "affected", "version": "da44c340c4fe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/vfio/mdev/mdev_sysfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.56", "versionType": "semver" }, { "lessThanOrEqual": "6.5.*", "status": "unaffected", "version": "6.5.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\n\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\nparent-\u003etypes[i] in parent_remove_sysfs_files(), and it will cause\nbelow null-ptr-deref.\n\nIf mdev_type_add() fails, return the error code and kset_unregister()\nto fix the issue.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? __kobject_del+0x62/0x1c0\n kobject_del+0x32/0x50\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\n mdev_unregister_parent+0xfb/0x190 [mdev]\n ? mdev_register_parent+0x270/0x270 [mdev]\n ? find_module_all+0x9d/0xe0\n mdpy_dev_exit+0x17/0x63 [mdpy]\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\n ? module_flags+0x300/0x300\n ? __fput+0x4e7/0xa00\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fbc813221b7\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\n \u003c/TASK\u003e\n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-11-04T14:48:56.808Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4" }, { "url": "https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e" }, { "url": "https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a" } ], "title": "vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52570", "datePublished": "2024-03-02T21:59:40.724Z", "dateReserved": "2024-03-02T21:55:42.567Z", "dateUpdated": "2024-11-04T14:48:56.808Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-52570\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-02T22:15:49.210\",\"lastModified\":\"2024-03-04T13:58:23.447\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\\n\\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\\nparent-\u003etypes[i] in parent_remove_sysfs_files(), and it will cause\\nbelow null-ptr-deref.\\n\\nIf mdev_type_add() fails, return the error code and kset_unregister()\\nto fix the issue.\\n\\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\n RIP: 0010:__kobject_del+0x62/0x1c0\\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\\n PKRU: 55555554\\n Call Trace:\\n \u003cTASK\u003e\\n ? die_addr+0x3d/0xa0\\n ? exc_general_protection+0x144/0x220\\n ? asm_exc_general_protection+0x22/0x30\\n ? __kobject_del+0x62/0x1c0\\n kobject_del+0x32/0x50\\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\\n mdev_unregister_parent+0xfb/0x190 [mdev]\\n ? mdev_register_parent+0x270/0x270 [mdev]\\n ? find_module_all+0x9d/0xe0\\n mdpy_dev_exit+0x17/0x63 [mdpy]\\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\\n ? module_flags+0x300/0x300\\n ? __fput+0x4e7/0xa00\\n do_syscall_64+0x35/0x80\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n RIP: 0033:0x7fbc813221b7\\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\\n \u003c/TASK\u003e\\n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\\n Dumping ftrace buffer:\\n (ftrace buffer empty)\\n ---[ end trace 0000000000000000 ]---\\n RIP: 0010:__kobject_del+0x62/0x1c0\\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/mdev: corrige un error null-ptr-deref para mdev_unregister_parent() Inyecta el fallo al sondear mdpy.ko, si kstrdup() de create_dir() falla en kobject_add_internal() en kobject_init_and_add() en mdev_type_add() en parent_create_sysfs_files(), devolver\u00e1 0 y sondear\u00e1 exitosamente. Y cuando rmmod mdpy.ko, mdpy_dev_exit() llamar\u00e1 a mdev_unregister_parent(), mdev_type_remove() puede atravesar tipos padre-\u0026gt;[i] no inicializados en parent_remove_sysfs_files(), y provocar\u00e1 debajo de null-ptr-deref. Si mdev_type_add() falla, devuelva el c\u00f3digo de error y kset_unregister() para solucionar el problema. falla de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en rango [0x0000000000000010-0x00000000000000017] CPU: 2 PID: 10215 Comm: rmmod Tainted: GW N 6.6.0- rc2+ #20 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.15.0-1 01/04/2014 RIP: 0010:__kobject_del+0x62/0x1c0 C\u00f3digo: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u0026lt;80\u0026gt; 3c 02 00 0f 85 24 01 00 00 48 8b 7 5 10 48 89 gl 48 8d 6b 3c e8 RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 00000000000000000 RDX: 0000000000000000 2 RSI: 0000000000000004 RDI: 00000000000000010 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1 R10: ffff888119d2778b R11: 00 00000063666572 R12: 0000000000000000 R13 : ffffbfff404e2d4 R14: dffffc0000000000 R15: fffffffa0271660 FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000 CS: 0010 DS : 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0 DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Seguimiento de llamadas: ? die_addr+0x3d/0xa0? exc_general_protection+0x144/0x220? asm_exc_general_protection+0x22/0x30? __kobject_del+0x62/0x1c0 kobject_del+0x32/0x50 parent_remove_sysfs_files+0xd6/0x170 [mdev] mdev_unregister_parent+0xfb/0x190 [mdev] ? mdev_register_parent+0x270/0x270 [mdev] ? find_module_all+0x9d/0xe0 mdpy_dev_exit+0x17/0x63 [mdpy] __do_sys_delete_module.constprop.0+0x2fa/0x4b0 ? module_flags+0x300/0x300? __fput+0x4e7/0xa00 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fbc813221b7 C\u00f3digo: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX : ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7 RDX: 000000000000000a RSI: 00000000000000800 RDI: 000055e214df9b58 RBP: 000055e214d f9af0 R08: 00007ffe780df5c1 R09: 00000000000000000 R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870 R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0 M\u00f3dulos vinculados en: mdpy(-) mdev vfio_iommu_type1 vfio [\u00faltima descarga: mdpy] Dumping ftrace buffer: (ftrace buffer vac\u00edo) ---[ end trace 0000000000000000 ]--- RIP: 0010:__kobject_del+0x62/0x1c0 C\u00f3digo: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u0026lt;80\u0026gt; 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8 RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: fffffffa0270268 RCX: 00000000000000000 RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010 RBP: 0000000000000000 R08: 00000000000000001 R09: ffffed10233a4ef1 R10: ff ff888119d2778b R11: 0000000063666572 R12: 00000000000000000 R13: ffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660 FS: 00007fbc81981540(0000) GS:ffff88 8119d00000(000 ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.