CVE-2024-44964

{"id": "CVE-2024-44964", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-09-04T19:15:30.940", "references": [{"url": "https://git.kernel.org/stable/c/6b289f8d91537ec1e4f9c7b38b31b90d93b1419b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f01032a2ca099ec8d619aaa916c3762aa62495df", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}, {"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix memory leaks and crashes while performing a soft reset\n\nThe second tagged commit introduced a UAF, as it removed restoring\nq_vector->vport pointers after reinitializating the structures.\nThis is due to that all queue allocation functions are performed here\nwith the new temporary vport structure and those functions rewrite\nthe backpointers to the vport. Then, this new struct is freed and\nthe pointers start leading to nowhere.\n\nBut generally speaking, the current logic is very fragile. It claims\nto be more reliable when the system is low on memory, but in fact, it\nconsumes two times more memory as at the moment of running this\nfunction, there are two vports allocated with their queues and vectors.\nMoreover, it claims to prevent the driver from running into \"bad state\",\nbut in fact, any error during the rebuild leaves the old vport in the\npartially allocated state.\nFinally, if the interface is down when the function is called, it always\nallocates a new queue set, but when the user decides to enable the\ninterface later on, vport_open() allocates them once again, IOW there's\na clear memory leak here.\n\nJust don't allocate a new queue set when performing a reset, that solves\ncrashes and memory leaks. Readd the old queue number and reopen the\ninterface on rollback - that solves limbo states when the device is left\ndisabled and/or without HW queues enabled."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: idpf: corrige fugas de memoria y fallos al realizar un reinicio suave El segundo commit etiquetado introdujo un UAF, ya que elimin\u00f3 la restauraci\u00f3n de punteros q_vector->vport despu\u00e9s de reinicializar las estructuras. Esto se debe a que todas las funciones de asignaci\u00f3n de colas se realizan aqu\u00ed con la nueva estructura vport temporal y esas funciones reescriben los punteros hacia atr\u00e1s al vport. Luego, esta nueva estructura se libera y los punteros comienzan a no llevar a ninguna parte. Pero en t\u00e9rminos generales, la l\u00f3gica actual es muy fr\u00e1gil. Afirma ser m\u00e1s confiable cuando el sistema tiene poca memoria, pero de hecho, consume dos veces m\u00e1s memoria ya que en el momento de ejecutar esta funci\u00f3n, hay dos vports asignados con sus colas y vectores. Adem\u00e1s, afirma evitar que el controlador entre en \"mal estado\", pero de hecho, cualquier error durante la reconstrucci\u00f3n deja el antiguo vport en el estado parcialmente asignado. Finalmente, si la interfaz est\u00e1 inactiva cuando se llama a la funci\u00f3n, siempre asigna un nuevo conjunto de colas, pero cuando el usuario decide habilitar la interfaz m\u00e1s adelante, vport_open() las asigna una vez m\u00e1s, es decir, hay una clara p\u00e9rdida de memoria aqu\u00ed. Simplemente no asigne un nuevo conjunto de colas cuando realice un reinicio, eso resuelve fallas y p\u00e9rdidas de memoria. Vuelva a agregar el n\u00famero de cola anterior y vuelva a abrir la interfaz en la reversi\u00f3n: eso resuelve los estados de limbo cuando el dispositivo se deja deshabilitado y/o sin colas de HW habilitadas."}], "lastModified": "2024-09-06T16:36:45.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D074AE50-4A5E-499C-A2FD-75FD60DEA560", "versionEndExcluding": "6.10.5", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B3CE743-2126-47A3-8B7C-822B502CF119"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DEB27E7-30AA-45CC-8934-B89263EF3551"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}