CVE-2024-50102

{"id": "CVE-2024-50102", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-11-05T18:15:13.877", "references": [{"url": "https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix user address masking non-canonical speculation issue\n\nIt turns out that AMD has a \"Meltdown Lite(tm)\" issue with non-canonical\naccesses in kernel space. And so using just the high bit to decide\nwhether an access is in user space or kernel space ends up with the good\nold \"leak speculative data\" if you have the right gadget using the\nresult:\n\n CVE-2020-12965 \u201cTransient Execution of Non-Canonical Accesses\u201c\n\nNow, the kernel surrounds the access with a STAC/CLAC pair, and those\ninstructions end up serializing execution on older Zen architectures,\nwhich closes the speculation window.\n\nBut that was true only up until Zen 5, which renames the AC bit [1].\nThat improves performance of STAC/CLAC a lot, but also means that the\nspeculation window is now open.\n\nNote that this affects not just the new address masking, but also the\nregular valid_user_address() check used by access_ok(), and the asm\nversion of the sign bit check in the get_user() helpers.\n\nIt does not affect put_user() or clear_user() variants, since there's no\nspeculative result to be used in a gadget for those operations."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86: se soluciona el problema de especulaci\u00f3n no can\u00f3nica de enmascaramiento de direcciones de usuario Resulta que AMD tiene un problema de \"Meltdown Lite(tm)\" con los accesos no can\u00f3nicos en el espacio del kernel. Y entonces, usar solo el bit alto para decidir si un acceso est\u00e1 en el espacio del usuario o en el espacio del kernel termina con la buena y vieja \"filtraci\u00f3n de datos especulativos\" si tienes el gadget correcto usando el resultado: CVE-2020-12965 \"Ejecuci\u00f3n transitoria de accesos no can\u00f3nicos\" Ahora, el kernel rodea el acceso con un par STAC/CLAC, y esas instrucciones terminan serializando la ejecuci\u00f3n en arquitecturas Zen m\u00e1s antiguas, lo que cierra la ventana de especulaci\u00f3n. Pero eso era cierto solo hasta Zen 5, que renombra el bit AC [1]. Eso mejora mucho el rendimiento de STAC/CLAC, pero tambi\u00e9n significa que la ventana de especulaci\u00f3n ahora est\u00e1 abierta. Tenga en cuenta que esto no solo afecta al nuevo enmascaramiento de direcci\u00f3n, sino tambi\u00e9n a la comprobaci\u00f3n regular valid_user_address() utilizada por access_ok() y a la versi\u00f3n asm de la comprobaci\u00f3n del bit de signo en los ayudantes get_user(). No afecta a las variantes put_user() o clear_user(), ya que no hay ning\u00fan resultado especulativo que se pueda utilizar en un gadget para esas operaciones."}], "lastModified": "2024-11-12T15:08:00.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFE3B17B-8A2D-4BE4-AECF-C6853F85CDDC", "versionEndExcluding": "6.11.6", "versionStartIncluding": "6.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}