CVE-2024-49850

{"id": "CVE-2024-49850", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T13:15:05.797", "references": [{"url": "https://git.kernel.org/stable/c/2288b54b96dcb55bedebcef3572bb8821fc5e708", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d2786d65aaa954ebd3fcc033ada433e10da21c4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/584cd3ff792e1edbea20b2a7df55897159b0be3e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e7e9c5b2dda29067332df2a85b0141a92b41f218", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos\n\nIn case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL\nreferencing a non-existing BTF type, function bpf_core_calc_relo_insn\nwould cause a null pointer deference.\n\nFix this by adding a proper check upper in call stack, as malformed\nrelocation records could be passed from user space.\n\nSimplest reproducer is a program:\n\n r0 = 0\n exit\n\nWith a single relocation record:\n\n .insn_off = 0, /* patch first instruction */\n .type_id = 100500, /* this type id does not exist */\n .access_str_off = 6, /* offset of string \"0\" */\n .kind = BPF_CORE_TYPE_ID_LOCAL,\n\nSee the link for original reproducer or next commit for a test case."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: maneja correctamente reubicaciones BPF_CORE_TYPE_ID_LOCAL malformadas En caso de un registro de reubicaci\u00f3n malformado del tipo BPF_CORE_TYPE_ID_LOCAL que haga referencia a un tipo BTF inexistente, la funci\u00f3n bpf_core_calc_relo_insn causar\u00eda una desreferencia de puntero nulo. Solucione esto agregando una verificaci\u00f3n superior adecuada en la pila de llamadas, ya que los registros de reubicaci\u00f3n malformados podr\u00edan pasarse desde el espacio de usuario. El reproductor m\u00e1s simple es un programa: r0 = 0 exit Con un solo registro de reubicaci\u00f3n: .insn_off = 0, /* parchear la primera instrucci\u00f3n */ .type_id = 100500, /* este id de tipo no existe */ .access_str_off = 6, /* desplazamiento de la cadena \"0\" */ .kind = BPF_CORE_TYPE_ID_LOCAL, Consulte el enlace para el reproductor original o la pr\u00f3xima confirmaci\u00f3n para un caso de prueba."}], "lastModified": "2024-10-22T16:12:14.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09358D68-A717-469E-B900-8002A642E29A", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}