CVE-2023-52562

{"id": "CVE-2023-52562", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-03-02T22:15:48.843", "references": [{"url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()\n\nAfter the commit in Fixes:, if a module that created a slab cache does not\nrelease all of its allocated objects before destroying the cache (at rmmod\ntime), we might end up releasing the kmem_cache object without removing it\nfrom the slab_caches list thus corrupting the list as kmem_cache_destroy()\nignores the return value from shutdown_cache(), which in turn never removes\nthe kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails\nto release all of the cache's slabs.\n\nThis is easily observable on a kernel built with CONFIG_DEBUG_LIST=y\nas after that ill release the system will immediately trip on list_add,\nor list_del, assertions similar to the one shown below as soon as another\nkmem_cache gets created, or destroyed:\n\n [ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n [ 1041.219165] ------------[ cut here ]------------\n [ 1041.221517] kernel BUG at lib/list_debug.c:62!\n [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\n\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n\n [ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15\n [ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\n\nThis patch fixes this issue by properly checking shutdown_cache()'s\nreturn value before taking the kmem_cache_release() branch."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/slab_common: corrige la corrupci\u00f3n de la lista slab_caches despu\u00e9s de kmem_cache_destroy() Despu\u00e9s de el commit en Correcciones:, si un m\u00f3dulo que cre\u00f3 un cach\u00e9 de losa no libera todos sus objetos asignados antes de destruir el cache (en el momento rmmod), podr\u00edamos terminar liberando el objeto kmem_cache sin eliminarlo de la lista slab_caches, corrompiendo as\u00ed la lista ya que kmem_cache_destroy() ignora el valor de retorno de Shutdown_cache(), que a su vez nunca elimina el objeto kmem_cache de slabs_list en caso __kmem_cache_shutdown() no puede liberar todas las losas del cach\u00e9. Esto es f\u00e1cilmente observable en un kernel construido con CONFIG_DEBUG_LIST=y ya que despu\u00e9s de ese lanzamiento, el sistema activar\u00e1 inmediatamente las aserciones list_add o list_del, similares a la que se muestra a continuaci\u00f3n tan pronto como se cree o destruya otro kmem_cache: [ 1041.213632] list_del corrupci\u00f3n. siguiente->anterior deber\u00eda ser ffff89f596fb5768, pero era 52f1e5016aeee75d. (siguiente=ffff89f595a1b268) [1041.219165] ------------[ cortar aqu\u00ed ]------------ [ 1041.221517] \u00a1ERROR del kernel en lib/list_debug.c:62! [ 1041.223452] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP PTI [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: cargado Contaminado: GBW OE 6.5.0 #15 [ 1041.228244] Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 24/05/2023 [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0 Otra forma r\u00e1pida de desencadenar este problema, en un kernel con CONFIG_SLUB=y, es configurar slub_debug para envenenar los objetos liberados y luego simplemente ejecutar cat /proc/slabinfo despu\u00e9s de eliminar el m\u00f3dulo que filtra los objetos slab, en cuyo caso el kernel entrar\u00e1 en p\u00e1nico: [50.954843] falla de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0xa56b6b6b6b6b6b8b: 0000 [#1 ] PREEMPT SMP PTI [ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: cargado Contaminado: GBW OE 6.5.0 #15 [ 50.966808] Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS edk2-20230524- 3.fc37 24/05/2023 [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0 Este parche soluciona este problema verificando correctamente el valor de retorno de Shutdown_cache() antes de tomar la rama kmem_cache_release()."}], "lastModified": "2025-01-16T17:02:14.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88CD6F0B-B968-414C-86CA-2E442AEA0EA8", "versionEndExcluding": "6.1.56", "versionStartIncluding": "6.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "870FC772-173A-4A0F-B1AF-7976AD6057D3", "versionEndExcluding": "6.5.6", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DC421F1-3D5A-4BEF-BF76-4E468985D20B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}