CVE-2023-52483
mctp: perform route lookups under a RCU read-side lock
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
mctp: perform route lookups under a RCU read-side lock
Our current route lookups (mctp_route_lookup and mctp_route_lookup_null)
traverse the net's route list without the RCU read lock held. This means
the route lookup is subject to preemption, resulting in an potential
grace period expiry, and so an eventual kfree() while we still have the
route pointer.
Add the proper read-side critical section locks around the route
lookups, preventing premption and a possible parallel kfree.
The remaining net->mctp.routes accesses are already under a
rcu_read_lock, or protected by the RTNL for updates.
Based on an analysis from Sili Luo <rootlab@huawei.com>, where
introducing a delay in the route lookup could cause a UAF on
simultaneous sendmsg() and route deletion.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mctp: realiza búsquedas de rutas bajo un bloqueo del lado de lectura de RCU. Nuestras búsquedas de rutas actuales (mctp_route_lookup y mctp_route_lookup_null) atraviesan la lista de rutas de la red sin que se mantenga el bloqueo de lectura de RCU. Esto significa que la búsqueda de ruta está sujeta a preferencia, lo que resulta en una posible expiración del período de gracia y, por lo tanto, en un eventual kfree() mientras todavía tenemos el puntero de ruta. Agregue los bloqueos de sección crítica del lado de lectura adecuados alrededor de las búsquedas de rutas, evitando la preferencia y un posible kfree paralelo. Los accesos restantes a net->mctp.routes ya están bajo rcu_read_lock o protegidos por RTNL para actualizaciones. Basado en un análisis de Sili Luo , donde la introducción de un retraso en la búsqueda de rutas podría causar una UAF en sendmsg() y eliminación de rutas simultáneas.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-20 CVE Reserved
- 2024-02-29 CVE Published
- 2024-02-29 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/889b7da23abf92faf34491df95733bda63639e32 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 5.15.137 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.137" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.1.59 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.59" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.5.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.5.8" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6" | en |
Affected
|