Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52506

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
02/03/2024
Last modified:
13/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> LoongArch: Set all reserved memblocks on Node#0 at initialization<br /> <br /> After commit 61167ad5fecdea ("mm: pass nid to reserve_bootmem_region()")<br /> we get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:<br /> <br /> [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18<br /> [ 0.000000] Oops[#1]:<br /> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733<br /> [ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90<br /> [ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0<br /> [ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000<br /> [ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800<br /> [ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20<br /> [ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000<br /> [ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000<br /> [ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000<br /> [ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c<br /> [ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c<br /> [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)<br /> [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)<br /> [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)<br /> [ 0.000000] ECFG: 00070800 (LIE=11 VS=7)<br /> [ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0)<br /> [ 0.000000] BADV: 0000000000002b82<br /> [ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)<br /> [ 0.000000] Modules linked in:<br /> [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))<br /> [ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00<br /> [ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780<br /> [ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748<br /> [ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970<br /> [ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000<br /> [ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000<br /> [ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918<br /> [ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000<br /> [ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c<br /> [ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00<br /> [ 0.000000] ...<br /> [ 0.000000] Call Trace:<br /> [ 0.000000] [] reserve_bootmem_region+0xfc/0x21c<br /> [ 0.000000] [] memblock_free_all+0x114/0x350<br /> [ 0.000000] [] mm_core_init+0x138/0x3cc<br /> [ 0.000000] [] start_kernel+0x488/0x7a4<br /> [ 0.000000] [] kernel_entry+0xd8/0xdc<br /> [ 0.000000]<br /> [ 0.000000] Code: 02eb21ad 00410f4c 380c31ac 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd<br /> <br /> The reason is early memblock_reserve() in memblock_init() set node id to<br /> MAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain<br /> reserve_bootmem_region() -&gt; init_reserved_page(). After memblock_init(),<br /> those late calls of memblock_reserve() operate on subregions of memblock<br /> .memory regions. As a result, these reserved regions will be set to the<br /> correct node at the first iteration of memmap_init_reserved_pages().<br /> <br /> So set all reserved memblocks on Node#0 at initialization can avoid this<br /> panic.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.56 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools