Vulnerabilidades

Con el objetivo de informar, advertir y ayudar a los profesionales sobre las ultimas vulnerabilidades de seguridad en sistemas tecnológicos, ponemos a disposición de los usuarios interesados en esta información una base de datos con información en castellano sobre cada una de las ultimas vulnerabilidades documentadas y conocidas.

Este repositorio con más de 75.000 registros esta basado en la información de NVD (https://nvd.nist.gov/) (National Vulnerability Database) – en función de un acuerdo de colaboración – por el cual desde INCIBE realizamos la traducción al castellano de la información incluida. En ocasiones este listado mostrará vulnerabilidades que aún no han sido traducidas debido a que se recogen en el transcurso del tiempo en el que el equipo de INCIBE realiza el proceso de traducción.

Se emplea el estándar de nomenclatura de vulnerabilidades CVE (https://cve.mitre.org/) (Common Vulnerabilities and Exposures), con el fin de facilitar el intercambio de información entre diferentes bases de datos y herramientas. Cada una de las vulnerabilidades recogidas enlaza a diversas fuentes de información así como a parches disponibles o soluciones aportadas por los fabricantes y desarrolladores. Es posible realizar búsquedas avanzadas teniendo la opción de seleccionar diferentes criterios como el tipo de vulnerabilidad, fabricante, tipo de impacto entre otros, con el fin de acortar los resultados.

Mediante suscripción RSS (https://www.incibe.es/feed/vulnerabilities) o Boletines (https://www.incibe.es//incibe/suscripciones) podemos estar informados diariamente de las ultimas vulnerabilidades incorporadas al repositorio.

CVE-2023-52570

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()<br /> <br /> Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in<br /> kobject_add_internal() in kobject_init_and_add() in mdev_type_add()<br /> in parent_create_sysfs_files(), it will return 0 and probe successfully.<br /> And when rmmod mdpy.ko, the mdpy_dev_exit() will call<br /> mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized<br /> parent-&gt;types[i] in parent_remove_sysfs_files(), and it will cause<br /> below null-ptr-deref.<br /> <br /> If mdev_type_add() fails, return the error code and kset_unregister()<br /> to fix the issue.<br /> <br /> general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> RIP: 0010:__kobject_del+0x62/0x1c0<br /> Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8<br /> RSP: 0018:ffff88810695fd30 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000<br /> RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1<br /> R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000<br /> R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660<br /> FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0<br /> DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea<br /> DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die_addr+0x3d/0xa0<br /> ? exc_general_protection+0x144/0x220<br /> ? asm_exc_general_protection+0x22/0x30<br /> ? __kobject_del+0x62/0x1c0<br /> kobject_del+0x32/0x50<br /> parent_remove_sysfs_files+0xd6/0x170 [mdev]<br /> mdev_unregister_parent+0xfb/0x190 [mdev]<br /> ? mdev_register_parent+0x270/0x270 [mdev]<br /> ? find_module_all+0x9d/0xe0<br /> mdpy_dev_exit+0x17/0x63 [mdpy]<br /> __do_sys_delete_module.constprop.0+0x2fa/0x4b0<br /> ? module_flags+0x300/0x300<br /> ? __fput+0x4e7/0xa00<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> RIP: 0033:0x7fbc813221b7<br /> Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0<br /> RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7<br /> RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58<br /> RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000<br /> R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870<br /> R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0<br /> <br /> Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]<br /> Dumping ftrace buffer:<br /> (ftrace buffer empty)<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:__kobject_del+0x62/0x1c0<br /> Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8<br /> RSP: 0018:ffff88810695fd30 EFLAGS: 00010202<br /> RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000<br /> RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1<br /> R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000<br /> R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660<br /> FS: 00007fbc81981540(0000) GS:ffff888119d00000(000<br /> ---truncated---
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

CVE-2023-52572

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: Fix UAF in cifs_demultiplex_thread()<br /> <br /> There is a UAF when xfstests on cifs:<br /> <br /> BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160<br /> Read of size 4 at addr ffff88810103fc08 by task cifsd/923<br /> <br /> CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x44<br /> print_report+0x171/0x472<br /> kasan_report+0xad/0x130<br /> kasan_check_range+0x145/0x1a0<br /> smb2_is_network_name_deleted+0x27/0x160<br /> cifs_demultiplex_thread.cold+0x172/0x5a4<br /> kthread+0x165/0x1a0<br /> ret_from_fork+0x1f/0x30<br /> <br /> <br /> Allocated by task 923:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> __kasan_slab_alloc+0x54/0x60<br /> kmem_cache_alloc+0x147/0x320<br /> mempool_alloc+0xe1/0x260<br /> cifs_small_buf_get+0x24/0x60<br /> allocate_buffers+0xa1/0x1c0<br /> cifs_demultiplex_thread+0x199/0x10d0<br /> kthread+0x165/0x1a0<br /> ret_from_fork+0x1f/0x30<br /> <br /> Freed by task 921:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_set_track+0x21/0x30<br /> kasan_save_free_info+0x2a/0x40<br /> ____kasan_slab_free+0x143/0x1b0<br /> kmem_cache_free+0xe3/0x4d0<br /> cifs_small_buf_release+0x29/0x90<br /> SMB2_negotiate+0x8b7/0x1c60<br /> smb2_negotiate+0x51/0x70<br /> cifs_negotiate_protocol+0xf0/0x160<br /> cifs_get_smb_ses+0x5fa/0x13c0<br /> mount_get_conns+0x7a/0x750<br /> cifs_mount+0x103/0xd00<br /> cifs_smb3_do_mount+0x1dd/0xcb0<br /> smb3_get_tree+0x1d5/0x300<br /> vfs_get_tree+0x41/0xf0<br /> path_mount+0x9b3/0xdd0<br /> __x64_sys_mount+0x190/0x1d0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> The UAF is because:<br /> <br /> mount(pid: 921) | cifsd(pid: 923)<br /> -------------------------------|-------------------------------<br /> | cifs_demultiplex_thread<br /> SMB2_negotiate |<br /> cifs_send_recv |<br /> compound_send_recv |<br /> smb_send_rqst |<br /> wait_for_response |<br /> wait_event_state [1] |<br /> | standard_receive3<br /> | cifs_handle_standard<br /> | handle_mid<br /> | mid-&gt;resp_buf = buf; [2]<br /> | dequeue_mid [3]<br /> KILL the process [4] |<br /> resp_iov[i].iov_base = buf |<br /> free_rsp_buf [5] |<br /> | is_network_name_deleted [6]<br /> | callback<br /> <br /> 1. After send request to server, wait the response until<br /> mid-&gt;mid_state != SUBMITTED;<br /> 2. Receive response from server, and set it to mid;<br /> 3. Set the mid state to RECEIVED;<br /> 4. Kill the process, the mid state already RECEIVED, get 0;<br /> 5. Handle and release the negotiate response;<br /> 6. UAF.<br /> <br /> It can be easily reproduce with add some delay in [3] - [6].<br /> <br /> Only sync call has the problem since async call&amp;#39;s callback is<br /> executed in cifsd process.<br /> <br /> Add an extra state to mark the mid state to READY before wakeup the<br /> waitter, then it can get the resp safely.
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

CVE-2023-52574

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> team: fix null-ptr-deref when team device type is changed<br /> <br /> Get a null-ptr-deref bug as follows with reproducer [1].<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000228<br /> ...<br /> RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]<br /> ...<br /> Call Trace:<br /> <br /> ? __die+0x24/0x70<br /> ? page_fault_oops+0x82/0x150<br /> ? exc_page_fault+0x69/0x150<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? vlan_dev_hard_header+0x35/0x140 [8021q]<br /> ? vlan_dev_hard_header+0x8e/0x140 [8021q]<br /> neigh_connected_output+0xb2/0x100<br /> ip6_finish_output2+0x1cb/0x520<br /> ? nf_hook_slow+0x43/0xc0<br /> ? ip6_mtu+0x46/0x80<br /> ip6_finish_output+0x2a/0xb0<br /> mld_sendpack+0x18f/0x250<br /> mld_ifc_work+0x39/0x160<br /> process_one_work+0x1e6/0x3f0<br /> worker_thread+0x4d/0x2f0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xe5/0x120<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> [1]<br /> $ teamd -t team0 -d -c &amp;#39;{"runner": {"name": "loadbalance"}}&amp;#39;<br /> $ ip link add name t-dummy type dummy<br /> $ ip link add link t-dummy name t-dummy.100 type vlan id 100<br /> $ ip link add name t-nlmon type nlmon<br /> $ ip link set t-nlmon master team0<br /> $ ip link set t-nlmon nomaster<br /> $ ip link set t-dummy up<br /> $ ip link set team0 up<br /> $ ip link set t-dummy.100 down<br /> $ ip link set t-dummy.100 master team0<br /> <br /> When enslave a vlan device to team device and team device type is changed<br /> from non-ether to ether, header_ops of team device is changed to<br /> vlan_header_ops. That is incorrect and will trigger null-ptr-deref<br /> for vlan-&gt;real_dev in vlan_dev_hard_header() because team device is not<br /> a vlan device.<br /> <br /> Cache eth_header_ops in team_setup(), then assign cached header_ops to<br /> header_ops of team net device when its type is changed from non-ether<br /> to ether to fix the bug.
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

CVE-2023-52577

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dccp: fix dccp_v4_err()/dccp_v6_err() again<br /> <br /> dh-&gt;dccph_x is the 9th byte (offset 8) in "struct dccp_hdr",<br /> not in the "byte 7" as Jann claimed.<br /> <br /> We need to make sure the ICMP messages are big enough,<br /> using more standard ways (no more assumptions).<br /> <br /> syzbot reported:<br /> BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]<br /> BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]<br /> BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94<br /> pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]<br /> pskb_may_pull include/linux/skbuff.h:2681 [inline]<br /> dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94<br /> icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867<br /> icmpv6_rcv+0x19d5/0x30d0<br /> ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438<br /> ip6_input_finish net/ipv6/ip6_input.c:483 [inline]<br /> NF_HOOK include/linux/netfilter.h:304 [inline]<br /> ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492<br /> ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586<br /> dst_input include/net/dst.h:468 [inline]<br /> ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79<br /> NF_HOOK include/linux/netfilter.h:304 [inline]<br /> ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310<br /> __netif_receive_skb_one_core net/core/dev.c:5523 [inline]<br /> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637<br /> netif_receive_skb_internal net/core/dev.c:5723 [inline]<br /> netif_receive_skb+0x58/0x660 net/core/dev.c:5782<br /> tun_rx_batched+0x83b/0x920<br /> tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048<br /> call_write_iter include/linux/fs.h:1985 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x8ef/0x15c0 fs/read_write.c:584<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:637<br /> __do_sys_write fs/read_write.c:649 [inline]<br /> __se_sys_write fs/read_write.c:646 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:646<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559<br /> __alloc_skb+0x318/0x740 net/core/skbuff.c:650<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313<br /> sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795<br /> tun_alloc_skb drivers/net/tun.c:1531 [inline]<br /> tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846<br /> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048<br /> call_write_iter include/linux/fs.h:1985 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x8ef/0x15c0 fs/read_write.c:584<br /> ksys_write+0x20f/0x4c0 fs/read_write.c:637<br /> __do_sys_write fs/read_write.c:649 [inline]<br /> __se_sys_write fs/read_write.c:646 [inline]<br /> __x64_sys_write+0x93/0xd0 fs/read_write.c:646<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

CVE-2023-52578

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: use DEV_STATS_INC()<br /> <br /> syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]<br /> This function can run from multiple cpus without mutual exclusion.<br /> <br /> Adopt SMP safe DEV_STATS_INC() to update dev-&gt;stats fields.<br /> <br /> Handles updates to dev-&gt;stats.tx_dropped while we are at it.<br /> <br /> [1]<br /> BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish<br /> <br /> read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:<br /> br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189<br /> br_nf_hook_thresh+0x1ed/0x220<br /> br_nf_pre_routing_finish_ipv6+0x50f/0x540<br /> NF_HOOK include/linux/netfilter.h:304 [inline]<br /> br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178<br /> br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508<br /> nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]<br /> nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]<br /> br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417<br /> __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417<br /> __netif_receive_skb_one_core net/core/dev.c:5521 [inline]<br /> __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637<br /> process_backlog+0x21f/0x380 net/core/dev.c:5965<br /> __napi_poll+0x60/0x3b0 net/core/dev.c:6527<br /> napi_poll net/core/dev.c:6594 [inline]<br /> net_rx_action+0x32b/0x750 net/core/dev.c:6727<br /> __do_softirq+0xc1/0x265 kernel/softirq.c:553<br /> run_ksoftirqd+0x17/0x20 kernel/softirq.c:921<br /> smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164<br /> kthread+0x1d7/0x210 kernel/kthread.c:388<br /> ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:<br /> br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189<br /> br_nf_hook_thresh+0x1ed/0x220<br /> br_nf_pre_routing_finish_ipv6+0x50f/0x540<br /> NF_HOOK include/linux/netfilter.h:304 [inline]<br /> br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178<br /> br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508<br /> nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]<br /> nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]<br /> br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417<br /> __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417<br /> __netif_receive_skb_one_core net/core/dev.c:5521 [inline]<br /> __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637<br /> process_backlog+0x21f/0x380 net/core/dev.c:5965<br /> __napi_poll+0x60/0x3b0 net/core/dev.c:6527<br /> napi_poll net/core/dev.c:6594 [inline]<br /> net_rx_action+0x32b/0x750 net/core/dev.c:6727<br /> __do_softirq+0xc1/0x265 kernel/softirq.c:553<br /> do_softirq+0x5e/0x90 kernel/softirq.c:454<br /> __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381<br /> __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]<br /> _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210<br /> spin_unlock_bh include/linux/spinlock.h:396 [inline]<br /> batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356<br /> batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560<br /> process_one_work kernel/workqueue.c:2630 [inline]<br /> process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703<br /> worker_thread+0x525/0x730 kernel/workqueue.c:2784<br /> kthread+0x1d7/0x210 kernel/kthread.c:388<br /> ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br /> <br /> value changed: 0x00000000000d7190 -&gt; 0x00000000000d7191<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

CVE-2023-52580

Fecha de publicación:
02/03/2024
Idioma:
Inglés
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/core: Fix ETH_P_1588 flow dissector<br /> <br /> When a PTP ethernet raw frame with a size of more than 256 bytes followed<br /> by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation<br /> is wrong. For example: hdr-&gt;message_length takes the wrong value (0xffff)<br /> and it does not replicate real header length. In this case, &amp;#39;nhoff&amp;#39; value<br /> was overridden and the PTP header was badly dissected. This leads to a<br /> kernel crash.<br /> <br /> net/core: flow_dissector<br /> net/core flow dissector nhoff = 0x0000000e<br /> net/core flow dissector hdr-&gt;message_length = 0x0000ffff<br /> net/core flow dissector nhoff = 0x0001000d (u16 overflow)<br /> ...<br /> skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88<br /> skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Using the size of the ptp_header struct will allow the corrected<br /> calculation of the nhoff value.<br /> <br /> net/core flow dissector nhoff = 0x0000000e<br /> net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)<br /> ...<br /> skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff<br /> skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Kernel trace:<br /> [ 74.984279] ------------[ cut here ]------------<br /> [ 74.989471] kernel BUG at include/linux/skbuff.h:2440!<br /> [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1<br /> [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023<br /> [ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130<br /> [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9<br /> [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297<br /> [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003<br /> [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300<br /> [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800<br /> [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010<br /> [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800<br /> [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000<br /> [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0<br /> [ 75.121980] PKRU: 55555554<br /> [ 75.125035] Call Trace:<br /> [ 75.127792] <br /> [ 75.130063] ? eth_get_headlen+0xa4/0xc0<br /> [ 75.134472] igc_process_skb_fields+0xcd/0x150<br /> [ 75.139461] igc_poll+0xc80/0x17b0<br /> [ 75.143272] __napi_poll+0x27/0x170<br /> [ 75.147192] net_rx_action+0x234/0x280<br /> [ 75.151409] __do_softirq+0xef/0x2f4<br /> [ 75.155424] irq_exit_rcu+0xc7/0x110<br /> [ 75.159432] common_interrupt+0xb8/0xd0<br /> [ 75.163748] <br /> [ 75.166112] <br /> [ 75.168473] asm_common_interrupt+0x22/0x40<br /> [ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350<br /> [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1<br /> [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202<br /> [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f<br /> [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20<br /> [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001<br /> [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980<br /> [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000<br /> [ 75.245635] ? <br /> ---truncated---
Severidad: Pendiente de análisis
Última modificación:
02/03/2024

Go top