CVE-2024-50002

{"id": "CVE-2024-50002", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T18:15:20.200", "references": [{"url": "https://git.kernel.org/stable/c/2b494471797bff3d257e99dc0a7abb0c5ff3b4cd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4b30051c4864234ec57290c3d142db7c88f10d8a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c48c2b53191bf991361998f5bb97b8f2fc5a89c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b566c7d8a2de403ccc9d8a06195e19bbb386d0e4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0abbbe8c98c077292221ec7e2baa667c9f0974c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ed4c8ce0f307f2ab8778aeb40a8866d171e8f128", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstatic_call: Handle module init failure correctly in static_call_del_module()\n\nModule insertion invokes static_call_add_module() to initialize the static\ncalls in a module. static_call_add_module() invokes __static_call_init(),\nwhich allocates a struct static_call_mod to either encapsulate the built-in\nstatic call sites of the associated key into it so further modules can be\nadded or to append the module to the module chain.\n\nIf that allocation fails the function returns with an error code and the\nmodule core invokes static_call_del_module() to clean up eventually added\nstatic_call_mod entries.\n\nThis works correctly, when all keys used by the module were converted over\nto a module chain before the failure. If not then static_call_del_module()\ncauses a #GP as it blindly assumes that key::mods points to a valid struct\nstatic_call_mod.\n\nThe problem is that key::mods is not a individual struct member of struct\nstatic_call_key, it's part of a union to save space:\n\n union {\n /* bit 0: 0 = mods, 1 = sites */\n unsigned long type;\n struct static_call_mod *mods;\n struct static_call_site *sites;\n\t};\n\nkey::sites is a pointer to the list of built-in usage sites of the static\ncall. The type of the pointer is differentiated by bit 0. A mods pointer\nhas the bit clear, the sites pointer has the bit set.\n\nAs static_call_del_module() blidly assumes that the pointer is a valid\nstatic_call_mod type, it fails to check for this failure case and\ndereferences the pointer to the list of built-in call sites, which is\nobviously bogus.\n\nCure it by checking whether the key has a sites or a mods pointer.\n\nIf it's a sites pointer then the key is not to be touched. As the sites are\nwalked in the same order as in __static_call_init() the site walk can be\nterminated because all subsequent sites have not been touched by the init\ncode due to the error exit.\n\nIf it was converted before the allocation fail, then the inner loop which\nsearches for a module match will find nothing.\n\nA fail in the second allocation in __static_call_init() is harmless and\ndoes not require special treatment. The first allocation succeeded and\nconverted the key to a module chain. That first entry has mod::mod == NULL\nand mod::next == NULL, so the inner loop of static_call_del_module() will\nneither find a module match nor a module chain. The next site in the walk\nwas either already converted, but can't match the module, or it will exit\nthe outer loop because it has a static_call_site pointer and not a\nstatic_call_mod pointer."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: static_call: Manejar el error de inicializaci\u00f3n del m\u00f3dulo correctamente en static_call_del_module() La inserci\u00f3n del m\u00f3dulo invoca static_call_add_module() para inicializar las llamadas est\u00e1ticas en un m\u00f3dulo. static_call_add_module() invoca __static_call_init(), que asigna una estructura static_call_mod para encapsular los sitios de llamadas est\u00e1ticas integrados de la clave asociada en ella para que se puedan agregar m\u00e1s m\u00f3dulos o para agregar el m\u00f3dulo a la cadena de m\u00f3dulos. Si esa asignaci\u00f3n fallo, la funci\u00f3n regresa con un c\u00f3digo de error y el n\u00facleo del m\u00f3dulo invoca static_call_del_module() para limpiar las entradas static_call_mod agregadas eventualmente. Esto funciona correctamente, cuando todas las claves utilizadas por el m\u00f3dulo se convirtieron a una cadena de m\u00f3dulos antes del error. Si no, static_call_del_module() causa un #GP ya que asume ciegamente que key::mods apunta a una estructura static_call_mod v\u00e1lida. El problema es que key::mods no es un miembro de estructura individual de struct static_call_key, es parte de una uni\u00f3n para ahorrar espacio: union { /* bit 0: 0 = mods, 1 = sites */ unsigned long type; struct static_call_mod *mods; struct static_call_site *sites; }; key::sites es un puntero a la lista de sitios de uso integrados de la llamada est\u00e1tica. El tipo del puntero se diferencia por el bit 0. Un puntero mods tiene el bit claro, el puntero sites tiene el bit establecido. Como static_call_del_module() asume ciegamente que el puntero es un tipo static_call_mod v\u00e1lido, no puede verificar este caso de fallo y desreferencia el puntero a la lista de sitios de llamada integrados, lo que obviamente es falso. Solucione esto verificando si la clave tiene un puntero sites o mods. Si es un puntero sites, entonces no se debe tocar la clave. Como los sitios se recorren en el mismo orden que en __static_call_init(), el recorrido del sitio puede terminarse porque el c\u00f3digo de inicio no ha tocado todos los sitios posteriores debido a la salida de error. Si se convirti\u00f3 antes de que fallara la asignaci\u00f3n, entonces el bucle interno que busca una coincidencia de m\u00f3dulo no encontrar\u00e1 nada. un fallo en la segunda asignaci\u00f3n en __static_call_init() es inofensiva y no requiere un tratamiento especial. La primera asignaci\u00f3n tuvo \u00e9xito y convirti\u00f3 la clave en una cadena de m\u00f3dulos. Esa primera entrada tiene mod::mod == NULL y mod::next == NULL, por lo que el bucle interno de static_call_del_module() no encontrar\u00e1 una coincidencia de m\u00f3dulo ni una cadena de m\u00f3dulos. El siguiente sitio en el recorrido ya se convirti\u00f3, pero no puede coincidir con el m\u00f3dulo, o saldr\u00e1 del bucle externo porque tiene un puntero static_call_site y no un puntero static_call_mod."}], "lastModified": "2024-10-30T21:57:59.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "243E517F-E8D1-4CB4-B5E1-099330E2800C", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E90B9576-56C4-47BC-AAB0-C5B2D438F5D0", "versionEndExcluding": "6.6.55", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C16BCE0-FFA0-4599-BE0A-1FD65101C021", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}