CVE-2023-52999
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/03/2025
Last modified:
01/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: fix UaF in netns ops registration error path<br />
<br />
If net_assign_generic() fails, the current error path in ops_init() tries<br />
to clear the gen pointer slot. Anyway, in such error path, the gen pointer<br />
itself has not been modified yet, and the existing and accessed one is<br />
smaller than the accessed index, causing an out-of-bounds error:<br />
<br />
BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320<br />
Write of size 8 at addr ffff888109124978 by task modprobe/1018<br />
<br />
CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x6a/0x9f<br />
print_address_description.constprop.0+0x86/0x2b5<br />
print_report+0x11b/0x1fb<br />
kasan_report+0x87/0xc0<br />
ops_init+0x2de/0x320<br />
register_pernet_operations+0x2e4/0x750<br />
register_pernet_subsys+0x24/0x40<br />
tcf_register_action+0x9f/0x560<br />
do_one_initcall+0xf9/0x570<br />
do_init_module+0x190/0x650<br />
load_module+0x1fa5/0x23c0<br />
__do_sys_finit_module+0x10d/0x1b0<br />
do_syscall_64+0x58/0x80<br />
entry_SYSCALL_64_after_hwframe+0x72/0xdc<br />
RIP: 0033:0x7f42518f778d<br />
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48<br />
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff<br />
ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48<br />
RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br />
RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d<br />
RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003<br />
RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000<br />
R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000<br />
<br />
<br />
This change addresses the issue by skipping the gen pointer<br />
de-reference in the mentioned error-path.<br />
<br />
Found by code inspection and verified with explicit error injection<br />
on a kasan-enabled kernel.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.264 (including) | 4.19.272 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.223 (including) | 5.4.231 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.153 (including) | 5.10.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.77 (including) | 5.15.91 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.1.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.2 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.0.7:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/12075708f2e77ee6a9f8bb2cf512c38be3099794
- https://git.kernel.org/stable/c/66689a72ba73575e76d4f6a8748d3fa2690ec1c4
- https://git.kernel.org/stable/c/71ab9c3e2253619136c31c89dbb2c69305cc89b1
- https://git.kernel.org/stable/c/ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea
- https://git.kernel.org/stable/c/d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0
- https://git.kernel.org/stable/c/ddd49cbbd4c1ceb38032018b589b44208e54f55e