CVE-2024-53142

{"id": "CVE-2024-53142", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-12-06T10:15:06.203", "references": [{"url": "https://git.kernel.org/stable/c/1a423bbbeaf9e3e20c4686501efd9b661fe834db", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/49d01e736c3045319e030d1e75fb983011abaca7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6983b8ac787b3add5571cda563574932a59a99bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb7ac96670ab1d8d681015f9d66e45dad579af4d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c509b1acbd867d9e09580fe059a924cb5825afb1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d3df9f26cff97beaa5643e551031795d5d5cddbe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e017671f534dd3f568db9e47b0583e853d2da9b5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f892ddcf9f645380c358e73653cb0900f6bc9eb8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb83b093f75806333b6f4ae29b158d2e0e3ec971", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninitramfs: avoid filename buffer overrun\n\nThe initramfs filename field is defined in\nDocumentation/driver-api/early-userspace/buffer-format.rst as:\n\n 37 cpio_file := ALGN(4) + cpio_header + filename + \"\\0\" + ALGN(4) + data\n...\n 55 ============= ================== =========================\n 56 Field name Field size Meaning\n 57 ============= ================== =========================\n...\n 70 c_namesize 8 bytes Length of filename, including final \\0\n\nWhen extracting an initramfs cpio archive, the kernel's do_name() path\nhandler assumes a zero-terminated path at @collected, passing it\ndirectly to filp_open() / init_mkdir() / init_mknod().\n\nIf a specially crafted cpio entry carries a non-zero-terminated filename\nand is followed by uninitialized memory, then a file may be created with\ntrailing characters that represent the uninitialized memory. The ability\nto create an initramfs entry would imply already having full control of\nthe system, so the buffer overrun shouldn't be considered a security\nvulnerability.\n\nAppend the output of the following bash script to an existing initramfs\nand observe any created /initramfs_test_fname_overrunAA* path. E.g.\n ./reproducer.sh | gzip >> /myinitramfs\n\nIt's easiest to observe non-zero uninitialized memory when the output is\ngzipped, as it'll overflow the heap allocated @out_buf in __gunzip(),\nrather than the initrd_start+initrd_size block.\n\n---- reproducer.sh ----\nnilchar=\"A\"\t# change to \"\\0\" to properly zero terminate / pad\nmagic=\"070701\"\nino=1\nmode=$(( 0100777 ))\nuid=0\ngid=0\nnlink=1\nmtime=1\nfilesize=0\ndevmajor=0\ndevminor=1\nrdevmajor=0\nrdevminor=0\ncsum=0\nfname=\"initramfs_test_fname_overrun\"\nnamelen=$(( ${#fname} + 1 ))\t# plus one to account for terminator\n\nprintf \"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\" \\\n\t$magic $ino $mode $uid $gid $nlink $mtime $filesize \\\n\t$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname\n\ntermpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))\nprintf \"%.s${nilchar}\" $(seq 1 $termpadlen)\n---- reproducer.sh ----\n\nSymlink filename fields handled in do_symlink() won't overrun past the\ndata segment, due to the explicit zero-termination of the symlink\ntarget.\n\nFix filename buffer overrun by aborting the initramfs FSM if any cpio\nentry doesn't carry a zero-terminator at the expected (name_len - 1)\noffset."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: initramfs: evitar el desbordamiento del b\u00fafer del nombre de archivo El campo de nombre de archivo de initramfs se define en Documentation/driver-api/early-userspace/buffer-format.rst como: 37 cpio_file := ALGN(4) + cpio_header + filename + \"\\0\" + ALGN(4) + data ... 55 ============== =================== ========================== 56 Nombre de campo Tama\u00f1o del campo Significado 57 ============= =================== ========================== ... 70 c_namesize 8 bytes Longitud del nombre de archivo, final \\0 Al extraer un archivo cpio de initramfs, el manejador de ruta do_name() del n\u00facleo asume una ruta terminada en cero en @collected, pas\u00e1ndola directamente a filp_open() / init_mkdir() / init_mknod(). Si una entrada cpio especialmente dise\u00f1ada lleva un nombre de archivo que no termina en cero y es seguida por memoria no inicializada, entonces se puede crear un archivo con caracteres finales que representan la memoria no inicializada. La capacidad de crear una entrada initramfs implicar\u00eda ya tener control total del sistema, por lo que el desbordamiento del b\u00fafer no deber\u00eda considerarse una vulnerabilidad de seguridad. Adjunte la salida del siguiente script bash a un initramfs existente y observe cualquier ruta /initramfs_test_fname_overrunAA* creada. Por ejemplo, ./reproducer.sh | Es m\u00e1s f\u00e1cil observar memoria no inicializada distinta de cero cuando se comprime la salida, ya que desbordar\u00e1 el mont\u00f3n asignado @out_buf en __gunzip(), en lugar del bloque initrd_start+initrd_size. ---- reproducter.sh ---- nilchar=\"A\" # cambia a \"\\0\" para terminar correctamente en cero / rellenar magic=\"070701\" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname=\"initramfs_test_fname_overrun\" namelen=$(( ${#fname} + 1 )) # m\u00e1s uno para tener en cuenta el terminador printf \"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\" \\ $magic $ino $mode $uid $gid $nlink $mtime $filesize \\ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) )) printf \"%.s${nilchar}\" $(seq 1 $termpadlen) ---- reproducer.sh ---- Los campos de nombre de archivo de enlace simb\u00f3lico manejados en do_symlink() no se desbordar\u00e1n m\u00e1s all\u00e1 del segmento de datos, debido a la terminaci\u00f3n expl\u00edcita en cero del objetivo del enlace simb\u00f3lico. Corrija el desbordamiento del b\u00fafer de nombre de archivo abortando el FSM initramfs si alguna entrada cpio no lleva un terminador en cero en el desplazamiento esperado (name_len - 1)."}], "lastModified": "2024-12-14T21:15:38.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAEB49A0-3B16-46DF-AA21-AD4136295A41", "versionEndExcluding": "4.19.325", "versionStartIncluding": "2.6.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D42B3E7C-85DF-4DBF-A6EC-E45F69FF2DCA", "versionEndExcluding": "6.6.64", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21434379-192D-472F-9B54-D45E3650E893", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}