cve-2023-52879
Vulnerability from cvelistv5
Published
2024-05-21 15:32
Modified
2024-11-04 14:54
Severity ?
Summary
tracing: Have trace_event_file have ref counters
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T16:59:47.559597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:30.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.182Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "961c4511c757",
              "status": "affected",
              "version": "e6807c873d87",
              "versionType": "git"
            },
            {
              "lessThan": "a98172e36e5f",
              "status": "affected",
              "version": "407bf1c140f0",
              "versionType": "git"
            },
            {
              "lessThan": "cbc7c29dff0f",
              "status": "affected",
              "version": "fa6d449e4d02",
              "versionType": "git"
            },
            {
              "lessThan": "2fa74d29fc18",
              "status": "affected",
              "version": "a46bf337a20f",
              "versionType": "git"
            },
            {
              "lessThan": "2c9de867ca28",
              "status": "affected",
              "version": "9beec0437013",
              "versionType": "git"
            },
            {
              "lessThan": "9034c87d61be",
              "status": "affected",
              "version": "f5ca233e2e66",
              "versionType": "git"
            },
            {
              "lessThan": "bb32500fb9b7",
              "status": "affected",
              "version": "f5ca233e2e66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/trace_events.h",
            "kernel/trace/trace.c",
            "kernel/trace/trace.h",
            "kernel/trace/trace_events.c",
            "kernel/trace/trace_events_filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have trace_event_file have ref counters\n\nThe following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\n # exec 5\u003e\u003eevents/kprobes/sched/enable\n # \u003e kprobe_events\n # exec 5\u003e\u0026-\n\nThe above commands:\n\n 1. Change directory to the tracefs directory\n 2. Create a kprobe event (doesn\u0027t matter what one)\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\n 4. Delete the kprobe event (removes the files too)\n 5. Close the bash file descriptor 5\n\nThe above causes a crash!\n\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n RIP: 0010:tracing_release_file_tr+0xc/0x50\n\nWhat happens here is that the kprobe event creates a trace_event_file\n\"file\" descriptor that represents the file in tracefs to the event. It\nmaintains state of the event (is it enabled for the given instance?).\nOpening the \"enable\" file gets a reference to the event \"file\" descriptor\nvia the open file descriptor. When the kprobe event is deleted, the file is\nalso deleted from the tracefs system which also frees the event \"file\"\ndescriptor.\n\nBut as the tracefs file is still opened by user space, it will not be\ntotally removed until the final dput() is called on it. But this is not\ntrue with the event \"file\" descriptor that is already freed. If the user\ndoes a write to or simply closes the file descriptor it will reference the\nevent \"file\" descriptor that was just freed, causing a use-after-free bug.\n\nTo solve this, add a ref count to the event \"file\" descriptor as well as a\nnew flag called \"FREED\". The \"file\" will not be freed until the last\nreference is released. But the FREE flag will be set when the event is\nremoved to prevent any more modifications to that event from happening,\neven if there\u0027s still a reference to the event \"file\" descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T14:54:27.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706"
        },
        {
          "url": "https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4"
        }
      ],
      "title": "tracing: Have trace_event_file have ref counters",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52879",
    "datePublished": "2024-05-21T15:32:11.263Z",
    "dateReserved": "2024-05-21T15:19:24.265Z",
    "dateUpdated": "2024-11-04T14:54:27.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52879\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:24.530\",\"lastModified\":\"2024-05-21T16:53:56.550\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracing: Have trace_event_file have ref counters\\n\\nThe following can crash the kernel:\\n\\n # cd /sys/kernel/tracing\\n # echo \u0027p:sched schedule\u0027 \u003e kprobe_events\\n # exec 5\u003e\u003eevents/kprobes/sched/enable\\n # \u003e kprobe_events\\n # exec 5\u003e\u0026-\\n\\nThe above commands:\\n\\n 1. Change directory to the tracefs directory\\n 2. Create a kprobe event (doesn\u0027t matter what one)\\n 3. Open bash file descriptor 5 on the enable file of the kprobe event\\n 4. Delete the kprobe event (removes the files too)\\n 5. Close the bash file descriptor 5\\n\\nThe above causes a crash!\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000028\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] PREEMPT SMP PTI\\n CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\\n RIP: 0010:tracing_release_file_tr+0xc/0x50\\n\\nWhat happens here is that the kprobe event creates a trace_event_file\\n\\\"file\\\" descriptor that represents the file in tracefs to the event. It\\nmaintains state of the event (is it enabled for the given instance?).\\nOpening the \\\"enable\\\" file gets a reference to the event \\\"file\\\" descriptor\\nvia the open file descriptor. When the kprobe event is deleted, the file is\\nalso deleted from the tracefs system which also frees the event \\\"file\\\"\\ndescriptor.\\n\\nBut as the tracefs file is still opened by user space, it will not be\\ntotally removed until the final dput() is called on it. But this is not\\ntrue with the event \\\"file\\\" descriptor that is already freed. If the user\\ndoes a write to or simply closes the file descriptor it will reference the\\nevent \\\"file\\\" descriptor that was just freed, causing a use-after-free bug.\\n\\nTo solve this, add a ref count to the event \\\"file\\\" descriptor as well as a\\nnew flag called \\\"FREED\\\". The \\\"file\\\" will not be freed until the last\\nreference is released. But the FREE flag will be set when the event is\\nremoved to prevent any more modifications to that event from happening,\\neven if there\u0027s still a reference to the event \\\"file\\\" descriptor.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: Tener trace_event_file tiene contadores de referencia. Lo siguiente puede bloquear el kernel: # cd /sys/kernel/tracing # echo \u0027p:sched Schedule\u0027 \u0026gt; kprobe_events # exec 5\u0026gt;\u0026gt;events /kprobes/sched/enable # \u0026gt; kprobe_events # exec 5\u0026gt;\u0026amp;- Los comandos anteriores: 1. Cambie el directorio al directorio tracefs 2. Cree un evento kprobe (no importa cu\u00e1l) 3. Abra el descriptor de archivo bash 5 en el habilitar el archivo del evento kprobe 4. Eliminar el evento kprobe (tambi\u00e9n elimina los archivos) 5. Cerrar el descriptor del archivo bash 5 \u00a1Lo anterior provoca un bloqueo! BUG: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000028 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01 /2014 RIP: 0010:tracing_release_file_tr+0xc/0x50. Lo que sucede aqu\u00ed es que el evento kprobe crea un descriptor de \\\"archivo\\\" trace_event_file que representa el archivo en tracefs hasta el evento. Mantiene el estado del evento (\u00bfest\u00e1 habilitado para la instancia dada?). Al abrir el archivo \\\"habilitar\\\" se obtiene una referencia al descriptor de \\\"archivo\\\" del evento a trav\u00e9s del descriptor de archivo abierto. Cuando se elimina el evento kprobe, el archivo tambi\u00e9n se elimina del sistema tracefs, lo que tambi\u00e9n libera el descriptor de \\\"archivo\\\" del evento. Pero como el espacio del usuario todav\u00eda abre el archivo tracefs, no se eliminar\u00e1 por completo hasta que se llame al dput() final. Pero esto no es cierto con el descriptor de \\\"archivo\\\" de evento que ya est\u00e1 liberado. Si el usuario escribe o simplemente cierra el descriptor de archivo, har\u00e1 referencia al descriptor de \\\"archivo\\\" del evento que acaba de liberarse, lo que provocar\u00e1 un error de uso despu\u00e9s de la liberaci\u00f3n. Para resolver esto, agregue un recuento de referencias al descriptor de \\\"archivo\\\" del evento, as\u00ed como una nueva bandera llamada \\\"FREED\\\". El \\\"archivo\\\" no se liberar\u00e1 hasta que se publique la \u00faltima referencia. Pero el indicador FREE se establecer\u00e1 cuando se elimine el evento para evitar que se realicen m\u00e1s modificaciones en ese evento, incluso si todav\u00eda hay una referencia al descriptor de \\\"archivo\\\" del evento.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c9de867ca285c397cd71af703763fe416265706\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2fa74d29fc1899c237d51bf9a6e132ea5c488976\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9034c87d61be8cff989017740a91701ac8195a1d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/961c4511c7578d6b8f39118be919016ec3db1c1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a98172e36e5f1b3d29ad71fade2d611cfcc2fe6f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb32500fb9b78215e4ef6ee8b4345c5f5d7eafb4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cbc7c29dff0fa18162f2a3889d82eeefd67305e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.