cve-2023-52879
Vulnerability from cvelistv5
Published
2024-05-21 15:32
Modified
2024-12-19 08:27
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tracing: Have trace_event_file have ref counters The following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&- The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5 The above causes a crash! BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50 What happens here is that the kprobe event creates a trace_event_file "file" descriptor that represents the file in tracefs to the event. It maintains state of the event (is it enabled for the given instance?). Opening the "enable" file gets a reference to the event "file" descriptor via the open file descriptor. When the kprobe event is deleted, the file is also deleted from the tracefs system which also frees the event "file" descriptor. But as the tracefs file is still opened by user space, it will not be totally removed until the final dput() is called on it. But this is not true with the event "file" descriptor that is already freed. If the user does a write to or simply closes the file descriptor it will reference the event "file" descriptor that was just freed, causing a use-after-free bug. To solve this, add a ref count to the event "file" descriptor as well as a new flag called "FREED". The "file" will not be freed until the last reference is released. But the FREE flag will be set when the event is removed to prevent any more modifications to that event from happening, even if there's still a reference to the event "file" descriptor.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0
Impacted products
Vendor Product Version
Linux Linux Version: 6.6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T16:59:47.559597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:30.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.182Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "961c4511c7578d6b8f39118be919016ec3db1c1e",
              "status": "affected",
              "version": "e6807c873d8791ae5a5186ad05ec66cab926539a",
              "versionType": "git"
            },
            {
              "lessThan": "a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f",
              "status": "affected",
              "version": "407bf1c140f0757706c0b28604bcc90837d45ce2",
              "versionType": "git"
            },
            {
              "lessThan": "cbc7c29dff0fa18162f2a3889d82eeefd67305e0",
              "status": "affected",
              "version": "fa6d449e4d024d8c17f4288e0567d28ace69415c",
              "versionType": "git"
            },
            {
              "lessThan": "2fa74d29fc1899c237d51bf9a6e132ea5c488976",
              "status": "affected",
              "version": "a46bf337a20f9edd3c8041b025639842280d0575",
              "versionType": "git"
            },
            {
              "lessThan": "2c9de867ca285c397cd71af703763fe416265706",
              "status": "affected",
              "version": "9beec04370132a7a6cd1aa9897f6fffc6262ff28",
              "versionType": "git"
            },
            {
              "lessThan": "9034c87d61be8cff989017740a91701ac8195a1d",
              "status": "affected",
              "version": "f5ca233e2e66dc1c249bf07eefa37e34a6c9346a",
              "versionType": "git"
            },
            {
              "lessThan": "bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4",
              "status": "affected",
              "version": "f5ca233e2e66dc1c249bf07eefa37e34a6c9346a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\n # exec 5\u003e\u003eevents/kprobes/sched/enable\n # \u003e kprobe_events\n # exec 5\u003e\u0026-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn\u0027t matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there\u0027s still a reference to the event \"file\" descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:27:46.833Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
        },
        {
          "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
        }
      ],
      "title": "tracing: Have trace_event_file have ref counters",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52879",
    "datePublished": "2024-05-21T15:32:11.263Z",
    "dateReserved": "2024-05-21T15:19:24.265Z",
    "dateUpdated": "2024-12-19T08:27:46.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52879\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:24.530\",\"lastModified\":\"2024-11-21T08:40:47.037\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have trace_event_file have ref counters\\n\\nThe following can crash the kernel:\\n\\n # cd /sys/kernel/tracing\\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\\n # exec 5\u003e\u003eevents/kprobes/sched/enable\\n # \u003e kprobe_events\\n # exec 5\u003e\u0026-\\n\\nThe above commands:\\n\\n 1. Change directory to the tracefs directory\\n 2. Create a kprobe event (doesn\u0027t matter what one)\\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\\n 4. Delete the kprobe event (removes the files too)\\n 5. Close the bash file descriptor 5\\n\\nThe above causes a crash!\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000028\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP PTI\\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n RIP: 0010:tracing_release_file_tr+0xc/0x50\\n\\nWhat happens here is that the kprobe event creates a trace_event_file\\n\\\"file\\\" descriptor that represents the file in tracefs to the event. It\\nmaintains state of the event (is it enabled for the given instance?).\\nOpening the \\\"enable\\\" file gets a reference to the event \\\"file\\\" descriptor\\nvia the open file descriptor. When the kprobe event is deleted, the file is\\nalso deleted from the tracefs system which also frees the event \\\"file\\\"\\ndescriptor.\\n\\nBut as the tracefs file is still opened by user space, it will not be\\ntotally removed until the final dput() is called on it. But this is not\\ntrue with the event \\\"file\\\" descriptor that is already freed. If the user\\ndoes a write to or simply closes the file descriptor it will reference the\\nevent \\\"file\\\" descriptor that was just freed, causing a use-after-free bug.\\n\\nTo solve this, add a ref count to the event \\\"file\\\" descriptor as well as a\\nnew flag called \\\"FREED\\\". The \\\"file\\\" will not be freed until the last\\nreference is released. But the FREE flag will be set when the event is\\nremoved to prevent any more modifications to that event from happening,\\neven if there\u0027s still a reference to the event \\\"file\\\" descriptor.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: Tener trace_event_file tiene contadores de referencia. Lo siguiente puede bloquear el kernel: # cd /sys/kernel/tracing # echo \u0027p:sched Schedule\u0027 \u0026gt; kprobe_events # exec 5\u0026gt;\u0026gt;events /kprobes/sched/enable # \u0026gt; kprobe_events # exec 5\u0026gt;\u0026amp;- Los comandos anteriores: 1. Cambie el directorio al directorio tracefs 2. Cree un evento kprobe (no importa cu\u00e1l) 3. Abra el descriptor de archivo bash 5 en el habilitar el archivo del evento kprobe 4. Eliminar el evento kprobe (tambi\u00e9n elimina los archivos) 5. Cerrar el descriptor del archivo bash 5 \u00a1Lo anterior provoca un bloqueo! BUG: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000028 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01 /2014 RIP: 0010:tracing_release_file_tr+0xc/0x50. Lo que sucede aqu\u00ed es que el evento kprobe crea un descriptor de \\\"archivo\\\" trace_event_file que representa el archivo en tracefs hasta el evento. Mantiene el estado del evento (\u00bfest\u00e1 habilitado para la instancia dada?). Al abrir el archivo \\\"habilitar\\\" se obtiene una referencia al descriptor de \\\"archivo\\\" del evento a trav\u00e9s del descriptor de archivo abierto. Cuando se elimina el evento kprobe, el archivo tambi\u00e9n se elimina del sistema tracefs, lo que tambi\u00e9n libera el descriptor de \\\"archivo\\\" del evento. Pero como el espacio del usuario todav\u00eda abre el archivo tracefs, no se eliminar\u00e1 por completo hasta que se llame al dput() final. Pero esto no es cierto con el descriptor de \\\"archivo\\\" de evento que ya est\u00e1 liberado. Si el usuario escribe o simplemente cierra el descriptor de archivo, har\u00e1 referencia al descriptor de \\\"archivo\\\" del evento que acaba de liberarse, lo que provocar\u00e1 un error de uso despu\u00e9s de la liberaci\u00f3n. Para resolver esto, agregue un recuento de referencias al descriptor de \\\"archivo\\\" del evento, as\u00ed como una nueva bandera llamada \\\"FREED\\\". El \\\"archivo\\\" no se liberar\u00e1 hasta que se publique la \u00faltima referencia. Pero el indicador FREE se establecer\u00e1 cuando se elimine el evento para evitar que se realicen m\u00e1s modificaciones en ese evento, incluso si todav\u00eda hay una referencia al descriptor de \\\"archivo\\\" del evento.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.