Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52780

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/05/2024
Last modified:
03/02/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mvneta: fix calls to page_pool_get_stats<br /> <br /> Calling page_pool_get_stats in the mvneta driver without checks<br /> leads to kernel crashes.<br /> First the page pool is only available if the bm is not used.<br /> The page pool is also not allocated when the port is stopped.<br /> It can also be not allocated in case of errors.<br /> <br /> The current implementation leads to the following crash calling<br /> ethstats on a port that is down or when calling it at the wrong moment:<br /> <br /> ble to handle kernel NULL pointer dereference at virtual address 00000070<br /> [00000070] *pgd=00000000<br /> Internal error: Oops: 5 [#1] SMP ARM<br /> Hardware name: Marvell Armada 380/385 (Device Tree)<br /> PC is at page_pool_get_stats+0x18/0x1cc<br /> LR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta]<br /> pc : [] lr : [] psr: a0000013<br /> sp : f1439d48 ip : f1439dc0 fp : 0000001d<br /> r10: 00000100 r9 : c4816b80 r8 : f0d75150<br /> r7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68<br /> r3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000<br /> Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br /> Control: 10c5387d Table: 066b004a DAC: 00000051<br /> Register r0 information: NULL pointer<br /> Register r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r2 information: non-paged memory<br /> Register r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048<br /> Register r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r5 information: NULL pointer<br /> Register r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096<br /> Register r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c<br /> Register r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208<br /> Register r9 information: slab task_struct start c4816b80 pointer offset 0<br /> Register r10 information: non-paged memory<br /> Register r11 information: non-paged memory<br /> Register r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Process snmpd (pid: 733, stack limit = 0x38de3a88)<br /> Stack: (0xf1439d48 to 0xf143a000)<br /> 9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80<br /> 9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8<br /> 9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50<br /> 9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d<br /> 9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000<br /> 9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80<br /> 9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8<br /> 9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40<br /> 9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000<br /> 9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0<br /> 9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0<br /> 9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014<br /> 9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c<br /> 9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036<br /> 9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000<br /> 9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0<br /> 9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000<br /> page_pool_get_s<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 6.1.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.13 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6 (including) 6.6.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.7:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools