CVE-2024-44939

{"id": "CVE-2024-44939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-26T12:15:06.007", "references": [{"url": "https://git.kernel.org/stable/c/53023ab11836ac56fd75f7a71ec1356e50920fa9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the\npreviously true judgment \"p->header.flag & BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: corrige null ptr deref en dtInsertEntry [syzbot inform\u00f3] falla de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr -deref en rango [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 No contaminado 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 03 /27 /2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analizar] En dtInsertEntry(), cuando el puntero h tiene el mismo valor que p, despu\u00e9s de escribir el nombre en UniStrncpy_to_le(), Se borrar\u00e1 p->header.flag. Esto har\u00e1 que el juicio previamente verdadero \"p->header.flag & BT-LEAF\" cambie a no despu\u00e9s de escribir la operaci\u00f3n de nombre, esto lleva a ingresar una rama incorrecta y acceder al objeto no inicializado ih al juzgar esta condici\u00f3n por segunda vez. [Soluci\u00f3n] Despu\u00e9s de obtener la p\u00e1gina, verifique primero la lista libre, si lista libre == 0, salga de dtInsert() y devuelva -EINVAL."}], "lastModified": "2024-09-12T20:58:03.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF4F8EA7-C643-4B9C-8E32-BD81930A5E8B", "versionEndExcluding": "6.6.47"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1CDF130-CCA6-47F6-9718-8949BF4E05CC", "versionEndExcluding": "6.10.6", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}