ghsa-gfh2-325r-ffgp
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in kobject_add_internal() in kobject_init_and_add() in mdev_type_add() in parent_create_sysfs_files(), it will return 0 and probe successfully. And when rmmod mdpy.ko, the mdpy_dev_exit() will call mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized parent->types[i] in parent_remove_sysfs_files(), and it will cause below null-ptr-deref.
If mdev_type_add() fails, return the error code and kset_unregister() to fix the issue.
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__kobject_del+0x62/0x1c0
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
{ "affected": [], "aliases": [ "CVE-2023-52570" ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-03-02T22:15:49Z", "severity": "MODERATE" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()\n\nInject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in\nkobject_add_internal() in kobject_init_and_add() in mdev_type_add()\nin parent_create_sysfs_files(), it will return 0 and probe successfully.\nAnd when rmmod mdpy.ko, the mdpy_dev_exit() will call\nmdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized\nparent-\u003etypes[i] in parent_remove_sysfs_files(), and it will cause\nbelow null-ptr-deref.\n\nIf mdev_type_add() fails, return the error code and kset_unregister()\nto fix the issue.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0\n DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea\n DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? die_addr+0x3d/0xa0\n ? exc_general_protection+0x144/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? __kobject_del+0x62/0x1c0\n kobject_del+0x32/0x50\n parent_remove_sysfs_files+0xd6/0x170 [mdev]\n mdev_unregister_parent+0xfb/0x190 [mdev]\n ? mdev_register_parent+0x270/0x270 [mdev]\n ? find_module_all+0x9d/0xe0\n mdpy_dev_exit+0x17/0x63 [mdpy]\n __do_sys_delete_module.constprop.0+0x2fa/0x4b0\n ? module_flags+0x300/0x300\n ? __fput+0x4e7/0xa00\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fbc813221b7\n Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7\n RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58\n RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000\n R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870\n R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0\n \u003c/TASK\u003e\n Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]\n Dumping ftrace buffer:\n (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__kobject_del+0x62/0x1c0\n Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8\n RSP: 0018:ffff88810695fd30 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010\n RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1\n R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000\n R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660\n FS: 00007fbc81981540(0000) GS:ffff888119d00000(000\n---truncated---", "id": "GHSA-gfh2-325r-ffgp", "modified": "2024-12-11T15:31:15Z", "published": "2024-03-03T00:30:32Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52570" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.