CVE-2023-52797

drivers: perf: Check find_first_bit() return value

Severity Score

4.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: drivers: perf: Check find_first_bit() return value We must check the return value of find_first_bit() before using the
return value as an index array since it happens to overflow the array
and then panic: [ 107.318430] Kernel BUG [#1]
[ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2
[ 107.319465] Hardware name: riscv-virtio,qemu (DT)
[ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae
[ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae
[ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350
[ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480
[ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520
[ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff
[ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000
[ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55
[ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f
[ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000
[ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0
[ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000
[ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000
[ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
[ 107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae
[ 107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0
[ 107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36
[ 107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e
[ 107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86
[ 107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96
[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097
[ 107.320585] ---[ end trace 0000000000000000 ]---
[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt
[ 107.320775] SMP: stopping secondary CPUs
[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000
[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers: perf: Verifique el valor de retorno de find_first_bit(). Debemos verificar el valor de retorno de find_first_bit() antes de usar el valor de retorno como una matriz de índice ya que sucede que desborda la matriz y luego pánico: [107.318430] BUG del kernel [#1] [107.319434] CPU: 3 PID: 1238 Comm: kill Contaminado: GE 6.6.0-rc6ubuntu-defconfig #2 [ 107.319465] Nombre de hardware: riscv-virtio,qemu (DT) [ 107.319551] epc: pmu_sbi_ovf_handler+0x3a4/0x3ae [107.319840] ra: pmu_sbi_ovf_handler+0x52/0x3ae [107.319868] epc: ffffffff80a0a77c ra: ffffffff80a0a42a sp: 83fecda350 [ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 [ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 [ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff [ 107.319936] a2 : 000000000107373 4 a3: 0000000000000004 a4: 0000000000000000 [107.319951] a5: 0000000000000040 a6: 000000001d1c8774 a7: 000000000504d55 [107.3199 65] s2: ffffffff82451f10 s3: ffffffff82724e70 s4: 000000000000003f [107.319980] s5: 0000000000000011 s6: ffffaf8083db27c0 s7: 00000000000000000 [107.319995] s8: 000000000000 0001 s9: 00007fffb45d6558 s10: 00007fffb45d81a0 [107.320009] s11: ffffaf7ffff60000 t3: 00000000000000004 t4: 0000000000000000 [ 107.320 023] t5: ffffaf7f80000000 t6: ffffaf8000000000 [107.320037 ] estado: 0000000200000100 badaddr: 00000000000000000 causa: 0000000000000003 [ 107.320081] [] pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.3201 12] [] handle_percpu_devid_irq+0x9e/0x1a0 [ 107.320131] [] generic_handle_domain_irq+0x28/0x36 [ 107.320148] [] riscv_intc_irq+0x36/0x4e [ 107.320166] [] handle_riscv_irq+0x54/0x86 [ 107.320189] [] _irq+0x64/0x96 [ 107.320271] Código: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 [107.320585] ---[ seguimiento final 0000000000000000 ]--- [ 107.320704] Pánico del kernel - no se sincroniza: excepción fatal en interrupción [ 107.320775] SMP: deteniendo CPU secundarias [ 107.32121 9]Compensación del kernel: 0x0 desde 0xffffffff80000000 [107.333051] ---[ fin del pánico del kernel - no se sincroniza: excepción fatal en la interrupción ]---

In the Linux kernel, the following vulnerability has been resolved: drivers: perf: Check find_first_bit() return value We must check the return value of find_first_bit() before using the return value as an index array since it happens to overflow the array and then panic: [ 107.318430] Kernel BUG [#1] [ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2 [ 107.319465] Hardware name: riscv-virtio,qemu (DT) [ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae [ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350 [ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 [ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 [ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff [ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000 [ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55 [ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f [ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000 [ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0 [ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000 [ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000 [ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0 [ 107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36 [ 107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e [ 107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86 [ 107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96 [ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 [ 107.320585] ---[ end trace 0000000000000000 ]--- [ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt [ 107.320775] SMP: stopping secondary CPUs [ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000 [ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2025-03-30 EPSS Updated
2025-05-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d	2023-11-28
https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7	2023-11-28
https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be	2023-11-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.5.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.6.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.6.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.7"		en		Affected