Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52574

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
02/03/2024
Last modified:
11/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> team: fix null-ptr-deref when team device type is changed<br /> <br /> Get a null-ptr-deref bug as follows with reproducer [1].<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000228<br /> ...<br /> RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]<br /> ...<br /> Call Trace:<br /> <br /> ? __die+0x24/0x70<br /> ? page_fault_oops+0x82/0x150<br /> ? exc_page_fault+0x69/0x150<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? vlan_dev_hard_header+0x35/0x140 [8021q]<br /> ? vlan_dev_hard_header+0x8e/0x140 [8021q]<br /> neigh_connected_output+0xb2/0x100<br /> ip6_finish_output2+0x1cb/0x520<br /> ? nf_hook_slow+0x43/0xc0<br /> ? ip6_mtu+0x46/0x80<br /> ip6_finish_output+0x2a/0xb0<br /> mld_sendpack+0x18f/0x250<br /> mld_ifc_work+0x39/0x160<br /> process_one_work+0x1e6/0x3f0<br /> worker_thread+0x4d/0x2f0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xe5/0x120<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> [1]<br /> $ teamd -t team0 -d -c &amp;#39;{"runner": {"name": "loadbalance"}}&amp;#39;<br /> $ ip link add name t-dummy type dummy<br /> $ ip link add link t-dummy name t-dummy.100 type vlan id 100<br /> $ ip link add name t-nlmon type nlmon<br /> $ ip link set t-nlmon master team0<br /> $ ip link set t-nlmon nomaster<br /> $ ip link set t-dummy up<br /> $ ip link set team0 up<br /> $ ip link set t-dummy.100 down<br /> $ ip link set t-dummy.100 master team0<br /> <br /> When enslave a vlan device to team device and team device type is changed<br /> from non-ether to ether, header_ops of team device is changed to<br /> vlan_header_ops. That is incorrect and will trigger null-ptr-deref<br /> for vlan-&gt;real_dev in vlan_dev_hard_header() because team device is not<br /> a vlan device.<br /> <br /> Cache eth_header_ops in team_setup(), then assign cached header_ops to<br /> header_ops of team net device when its type is changed from non-ether<br /> to ether to fix the bug.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.7 (including) 4.14.327 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.296 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.198 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.134 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.56 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools