CVE-2024-53096

{"id": "CVE-2024-53096", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-11-25T22:15:15.287", "references": [{"url": "https://git.kernel.org/stable/c/43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/44f48eb9a6051826227bbd375446064fb2a43c6c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5de195060b2e251a835f622759550e6202167641", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdc136e2b05fabcd780fe5f165d154eb779dfcb0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://project-zero.issues.chromium.org/issues/374117290", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: resolve faulty mmap_region() error path behaviour\n\nThe mmap_region() function is somewhat terrifying, with spaghetti-like\ncontrol flow and numerous means by which issues can arise and incomplete\nstate, memory leaks and other unpleasantness can occur.\n\nA large amount of the complexity arises from trying to handle errors late\nin the process of mapping a VMA, which forms the basis of recently\nobserved issues with resource leaks and observable inconsistent state.\n\nTaking advantage of previous patches in this series we move a number of\nchecks earlier in the code, simplifying things by moving the core of the\nlogic into a static internal function __mmap_region().\n\nDoing this allows us to perform a number of checks up front before we do\nany real work, and allows us to unwind the writable unmap check\nunconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE\nvalidation unconditionally also.\n\nWe move a number of things here:\n\n1. We preallocate memory for the iterator before we call the file-backed\n memory hook, allowing us to exit early and avoid having to perform\n complicated and error-prone close/free logic. We carefully free\n iterator state on both success and error paths.\n\n2. The enclosing mmap_region() function handles the mapping_map_writable()\n logic early. Previously the logic had the mapping_map_writable() at the\n point of mapping a newly allocated file-backed VMA, and a matching\n mapping_unmap_writable() on success and error paths.\n\n We now do this unconditionally if this is a file-backed, shared writable\n mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however\n doing so does not invalidate the seal check we just performed, and we in\n any case always decrement the counter in the wrapper.\n\n We perform a debug assert to ensure a driver does not attempt to do the\n opposite.\n\n3. We also move arch_validate_flags() up into the mmap_region()\n function. This is only relevant on arm64 and sparc64, and the check is\n only meaningful for SPARC with ADI enabled. We explicitly add a warning\n for this arch if a driver invalidates this check, though the code ought\n eventually to be fixed to eliminate the need for this.\n\nWith all of these measures in place, we no longer need to explicitly close\nthe VMA on error paths, as we place all checks which might fail prior to a\ncall to any driver mmap hook.\n\nThis eliminates an entire class of errors, makes the code easier to reason\nabout and more robust."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: resolver el comportamiento defectuoso de la ruta de error mmap_region() La funci\u00f3n mmap_region() es algo aterradora, con un flujo de control tipo espagueti y numerosos medios por los cuales pueden surgir problemas y pueden ocurrir estados incompletos, fugas de memoria y otras cosas desagradables. Una gran parte de la complejidad surge de intentar manejar errores tarde en el proceso de mapeo de un VMA, que forma la base de los problemas observados recientemente con fugas de recursos y estado inconsistente observable. Aprovechando los parches anteriores de esta serie, movemos una serie de verificaciones antes en el c\u00f3digo, simplificando las cosas al mover el n\u00facleo de la l\u00f3gica a una funci\u00f3n interna est\u00e1tica __mmap_region(). Hacer esto nos permite realizar una serie de verificaciones por adelantado antes de hacer cualquier trabajo real, y nos permite desenrollar la verificaci\u00f3n de desasignaci\u00f3n escribible incondicionalmente seg\u00fan sea necesario y realizar una validaci\u00f3n CONFIG_DEBUG_VM_MAPLE_TREE incondicionalmente tambi\u00e9n. Aqu\u00ed movemos una serie de cosas: 1. Preasignamos memoria para el iterador antes de llamar al gancho de memoria respaldado por archivo, lo que nos permite salir antes y evitar tener que realizar una l\u00f3gica de cierre/liberaci\u00f3n complicada y propensa a errores. Liberamos cuidadosamente el estado del iterador tanto en las rutas de \u00e9xito como de error. 2. La funci\u00f3n mmap_region() que lo encierra maneja la l\u00f3gica mapping_map_writable() de forma temprana. Anteriormente, la l\u00f3gica ten\u00eda mapping_map_writable() en el punto de mapeo de un VMA respaldado por archivo recientemente asignado y un mapping_unmap_writable() coincidente en las rutas de \u00e9xito y error. Ahora hacemos esto incondicionalmente si se trata de un mapeo compartido escribible respaldado por archivo. Sin embargo, si un controlador cambia los indicadores para eliminar VM_MAYWRITE, al hacerlo no invalida la verificaci\u00f3n de sello que acabamos de realizar y, en cualquier caso, siempre decrementamos el contador en el contenedor. Realizamos una aserci\u00f3n de depuraci\u00f3n para asegurarnos de que un controlador no intente hacer lo contrario. 3. Tambi\u00e9n trasladamos arch_validate_flags() a la funci\u00f3n mmap_region(). Esto solo es relevante en arm64 y sparc64, y la comprobaci\u00f3n solo es significativa para SPARC con ADI habilitado. Agregamos expl\u00edcitamente una advertencia para esta arquitectura si un controlador invalida esta comprobaci\u00f3n, aunque el c\u00f3digo deber\u00eda corregirse eventualmente para eliminar la necesidad de esto. Con todas estas medidas implementadas, ya no necesitamos cerrar expl\u00edcitamente el VMA en las rutas de error, ya que colocamos todas las comprobaciones que podr\u00edan fallar antes de una llamada a cualquier gancho mmap del controlador. Esto elimina una clase completa de errores, hace que el c\u00f3digo sea m\u00e1s f\u00e1cil de razonar y m\u00e1s robusto."}], "lastModified": "2025-01-07T15:42:04.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E49B9C7-7B50-4126-8CBA-66256295EB63", "versionEndExcluding": "5.10.231", "versionStartIncluding": "5.10.150"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8A791EF-FA57-4BA6-B758-F85DB2C9C332", "versionEndExcluding": "5.15.174", "versionStartIncluding": "5.15.75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D6C7A20-9E1E-4463-9822-61E01EE9EE64", "versionEndExcluding": "6.1.119", "versionStartIncluding": "6.0.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8800BB45-48BC-4B52-BDA5-B1E4633F42E5", "versionEndExcluding": "6.6.63", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D251AFC3-8DFD-4F80-861D-362FF9D2EA73", "versionEndExcluding": "6.12", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B02CA4B2-2E84-45BE-A5D3-122D9820527C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24B88717-53F5-42AA-9B72-14C707639E3F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}