cve-2023-52879
Vulnerability from cvelistv5
Published
2024-05-21 15:32
Modified
2024-08-02 23:18
Severity
Summary
tracing: Have trace_event_file have ref counters
References
SourceURLTags
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0
Impacted products
VendorProduct
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T16:59:47.559597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:30.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.182Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "961c4511c757",
              "status": "affected",
              "version": "e6807c873d87",
              "versionType": "git"
            },
            {
              "lessThan": "a98172e36e5f",
              "status": "affected",
              "version": "407bf1c140f0",
              "versionType": "git"
            },
            {
              "lessThan": "cbc7c29dff0f",
              "status": "affected",
              "version": "fa6d449e4d02",
              "versionType": "git"
            },
            {
              "lessThan": "2fa74d29fc18",
              "status": "affected",
              "version": "a46bf337a20f",
              "versionType": "git"
            },
            {
              "lessThan": "2c9de867ca28",
              "status": "affected",
              "version": "9beec0437013",
              "versionType": "git"
            },
            {
              "lessThan": "9034c87d61be",
              "status": "affected",
              "version": "f5ca233e2e66",
              "versionType": "git"
            },
            {
              "lessThan": "bb32500fb9b7",
              "status": "affected",
              "version": "f5ca233e2e66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.262",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.202",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.140",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\n # exec 5\u003e\u003eevents/kprobes/sched/enable\n # \u003e kprobe_events\n # exec 5\u003e\u0026-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn\u0027t matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there\u0027s still a reference to the event \"file\" descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:18:57.020Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
        },
        {
          "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
        }
      ],
      "title": "tracing: Have trace_event_file have ref counters",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52879",
    "datePublished": "2024-05-21T15:32:11.263Z",
    "dateReserved": "2024-05-21T15:19:24.265Z",
    "dateUpdated": "2024-08-02T23:18:41.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52879\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:24.530\",\"lastModified\":\"2024-05-21T16:53:56.550\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have trace_event_file have ref counters\\n\\nThe following can crash the kernel:\\n\\n # cd /sys/kernel/tracing\\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\\n # exec 5\u003e\u003eevents/kprobes/sched/enable\\n # \u003e kprobe_events\\n # exec 5\u003e\u0026-\\n\\nThe above commands:\\n\\n 1. Change directory to the tracefs directory\\n 2. Create a kprobe event (doesn\u0027t matter what one)\\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\\n 4. Delete the kprobe event (removes the files too)\\n 5. Close the bash file descriptor 5\\n\\nThe above causes a crash!\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000028\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP PTI\\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n RIP: 0010:tracing_release_file_tr+0xc/0x50\\n\\nWhat happens here is that the kprobe event creates a trace_event_file\\n\\\"file\\\" descriptor that represents the file in tracefs to the event. It\\nmaintains state of the event (is it enabled for the given instance?).\\nOpening the \\\"enable\\\" file gets a reference to the event \\\"file\\\" descriptor\\nvia the open file descriptor. When the kprobe event is deleted, the file is\\nalso deleted from the tracefs system which also frees the event \\\"file\\\"\\ndescriptor.\\n\\nBut as the tracefs file is still opened by user space, it will not be\\ntotally removed until the final dput() is called on it. But this is not\\ntrue with the event \\\"file\\\" descriptor that is already freed. If the user\\ndoes a write to or simply closes the file descriptor it will reference the\\nevent \\\"file\\\" descriptor that was just freed, causing a use-after-free bug.\\n\\nTo solve this, add a ref count to the event \\\"file\\\" descriptor as well as a\\nnew flag called \\\"FREED\\\". The \\\"file\\\" will not be freed until the last\\nreference is released. But the FREE flag will be set when the event is\\nremoved to prevent any more modifications to that event from happening,\\neven if there\u0027s still a reference to the event \\\"file\\\" descriptor.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: Tener trace_event_file tiene contadores de referencia. Lo siguiente puede bloquear el kernel: # cd /sys/kernel/tracing # echo \u0027p:sched Schedule\u0027 \u0026gt; kprobe_events # exec 5\u0026gt;\u0026gt;events /kprobes/sched/enable # \u0026gt; kprobe_events # exec 5\u0026gt;\u0026amp;- Los comandos anteriores: 1. Cambie el directorio al directorio tracefs 2. Cree un evento kprobe (no importa cu\u00e1l) 3. Abra el descriptor de archivo bash 5 en el habilitar el archivo del evento kprobe 4. Eliminar el evento kprobe (tambi\u00e9n elimina los archivos) 5. Cerrar el descriptor del archivo bash 5 \u00a1Lo anterior provoca un bloqueo! BUG: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000028 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01 /2014 RIP: 0010:tracing_release_file_tr+0xc/0x50. Lo que sucede aqu\u00ed es que el evento kprobe crea un descriptor de \\\"archivo\\\" trace_event_file que representa el archivo en tracefs hasta el evento. Mantiene el estado del evento (\u00bfest\u00e1 habilitado para la instancia dada?). Al abrir el archivo \\\"habilitar\\\" se obtiene una referencia al descriptor de \\\"archivo\\\" del evento a trav\u00e9s del descriptor de archivo abierto. Cuando se elimina el evento kprobe, el archivo tambi\u00e9n se elimina del sistema tracefs, lo que tambi\u00e9n libera el descriptor de \\\"archivo\\\" del evento. Pero como el espacio del usuario todav\u00eda abre el archivo tracefs, no se eliminar\u00e1 por completo hasta que se llame al dput() final. Pero esto no es cierto con el descriptor de \\\"archivo\\\" de evento que ya est\u00e1 liberado. Si el usuario escribe o simplemente cierra el descriptor de archivo, har\u00e1 referencia al descriptor de \\\"archivo\\\" del evento que acaba de liberarse, lo que provocar\u00e1 un error de uso despu\u00e9s de la liberaci\u00f3n. Para resolver esto, agregue un recuento de referencias al descriptor de \\\"archivo\\\" del evento, as\u00ed como una nueva bandera llamada \\\"FREED\\\". El \\\"archivo\\\" no se liberar\u00e1 hasta que se publique la \u00faltima referencia. Pero el indicador FREE se establecer\u00e1 cuando se elimine el evento para evitar que se realicen m\u00e1s modificaciones en ese evento, incluso si todav\u00eda hay una referencia al descriptor de \\\"archivo\\\" del evento.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.