Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-43874

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/08/2024
Last modified:
03/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked<br /> <br /> Fix a null pointer dereference induced by DEBUG_TEST_DRIVER_REMOVE.<br /> Return from __sev_snp_shutdown_locked() if the psp_device or the<br /> sev_device structs are not initialized. Without the fix, the driver will<br /> produce the following splat:<br /> <br /> ccp 0000:55:00.5: enabling device (0000 -&gt; 0002)<br /> ccp 0000:55:00.5: sev enabled<br /> ccp 0000:55:00.5: psp enabled<br /> BUG: kernel NULL pointer dereference, address: 00000000000000f0<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI<br /> CPU: 262 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1+ #29<br /> RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150<br /> Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83<br /> RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb2ea4014b808<br /> RBP: ffffb2ea4014b7e8 R08: 0000000000000106 R09: 000000000003d9c0<br /> R10: 0000000000000001 R11: ffffffffa39ff070 R12: ffff9e49d40590c8<br /> R13: 0000000000000000 R14: ffffb2ea4014b808 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff9e58b1e00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000000f0 CR3: 0000000418a3e001 CR4: 0000000000770ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body+0x6f/0xb0<br /> ? __die+0xcc/0xf0<br /> ? page_fault_oops+0x330/0x3a0<br /> ? save_trace+0x2a5/0x360<br /> ? do_user_addr_fault+0x583/0x630<br /> ? exc_page_fault+0x81/0x120<br /> ? asm_exc_page_fault+0x2b/0x30<br /> ? __sev_snp_shutdown_locked+0x2e/0x150<br /> __sev_firmware_shutdown+0x349/0x5b0<br /> ? pm_runtime_barrier+0x66/0xe0<br /> sev_dev_destroy+0x34/0xb0<br /> psp_dev_destroy+0x27/0x60<br /> sp_destroy+0x39/0x90<br /> sp_pci_remove+0x22/0x60<br /> pci_device_remove+0x4e/0x110<br /> really_probe+0x271/0x4e0<br /> __driver_probe_device+0x8f/0x160<br /> driver_probe_device+0x24/0x120<br /> __driver_attach+0xc7/0x280<br /> ? driver_attach+0x30/0x30<br /> bus_for_each_dev+0x10d/0x130<br /> driver_attach+0x22/0x30<br /> bus_add_driver+0x171/0x2b0<br /> ? unaccepted_memory_init_kdump+0x20/0x20<br /> driver_register+0x67/0x100<br /> __pci_register_driver+0x83/0x90<br /> sp_pci_init+0x22/0x30<br /> sp_mod_init+0x13/0x30<br /> do_one_initcall+0xb8/0x290<br /> ? sched_clock_noinstr+0xd/0x10<br /> ? local_clock_noinstr+0x3e/0x100<br /> ? stack_depot_save_flags+0x21e/0x6a0<br /> ? local_clock+0x1c/0x60<br /> ? stack_depot_save_flags+0x21e/0x6a0<br /> ? sched_clock_noinstr+0xd/0x10<br /> ? local_clock_noinstr+0x3e/0x100<br /> ? __lock_acquire+0xd90/0xe30<br /> ? sched_clock_noinstr+0xd/0x10<br /> ? local_clock_noinstr+0x3e/0x100<br /> ? __create_object+0x66/0x100<br /> ? local_clock+0x1c/0x60<br /> ? __create_object+0x66/0x100<br /> ? parameq+0x1b/0x90<br /> ? parse_one+0x6d/0x1d0<br /> ? parse_args+0xd7/0x1f0<br /> ? do_initcall_level+0x180/0x180<br /> do_initcall_level+0xb0/0x180<br /> do_initcalls+0x60/0xa0<br /> ? kernel_init+0x1f/0x1d0<br /> do_basic_setup+0x41/0x50<br /> kernel_init_freeable+0x1ac/0x230<br /> ? rest_init+0x1f0/0x1f0<br /> kernel_init+0x1f/0x1d0<br /> ? rest_init+0x1f0/0x1f0<br /> ret_from_fork+0x3d/0x50<br /> ? rest_init+0x1f0/0x1f0<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> Modules linked in:<br /> CR2: 00000000000000f0<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:__sev_snp_shutdown_locked+0x2e/0x150<br /> Code: 00 55 48 89 e5 41 57 41 56 41 54 53 48 83 ec 10 41 89 f7 49 89 fe 65 48 8b 04 25 28 00 00 00 48 89 45 d8 48 8b 05 6a 5a 7f 06 8b a0 f0 00 00 00 41 0f b6 9c 24 a2 00 00 00 48 83 fb 02 0f 83<br /> RSP: 0018:ffffb2ea4014b7b8 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff9e4acd2e0a28 RCX: 0000000000000000<br /> RDX: 0000000<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9 (including) 6.10.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools